Re: Symmetric encypher with private key decypher

[Alphax]

Mikmorg wrote:
 I am looking for a way to use symmetric encryption on a day-to-day basis,
 using a key-file of some sort to decypher the file. I have decided that
 using my asymmetric private key in the following way was the best for this,
 using the following method:
 

I think I sort of get what you are trying to do here:

random key - encrypt data w/ random key
  |
  V
   encrypt key w/ public key

... which is actually what GPG does with bog-standard public key
encryption! Or do you want something else?

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: authenticate flag

[Alphax]

Aaron J. Graves wrote:
 I have created a key that for some reason does not have the authenticate
 flag set. Is there a way I can somehow set this flag? Or do I have to start
 from scratch?
 
 Here's an example. From the key in question:
 
 pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC
 trust: ultimate validity: ultimate
 sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E
 
 And from another key that has the flag set:
 pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA
 trust: ultimate validity: ultimate
 sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E
 
 Notice the A in the usage section. How can I add that to my other key?
 Or if it's not necessary, would it be possible to ask why?
 

As someone wiser than me said about a year and a half ago, a key with
the authenticate flag could be used to eg. unlock your PC instead of
using a username/password.

To set the flag during key creation, use gpg --expert --gen-key:

 Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(3) DSA (set your own capabilities)
(5) RSA (sign only)
(7) RSA (set your own capabilities)
 Your selection?

Select (7) and toggle the A option.

Adding it to an existing key requires a deep understanding of the
OpenPGP spec (RFC 2440) and a hex editor; alternatively, you could add a
subkey with this capability (gpg --expert --edit 0xkeyid, addkey,
passphrase, 7, A, Q).

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Importing my keys fails

[Alphax]

Michael Erskine wrote:
 On Wednesday 29 November 2006 21:33, Joseph Bruni wrote:
 An OpenSSH key is not an OpenPGP key. There are some efforts to use OpenPGP
 keys for SSH authentication, however.
 
 Can they be somehow integrated or will I always need two (or more) sets of 
 keys? Are the keys used by OpenSSH in themselves somehow less secure or is 
 there something in their nature that means they can never be used by OpenPGP? 
 My limited understanding was that symetric keys were just a pair of fancy 
 numbers! :)
 

Since I can't be bothered explaining, here are some links that will do
it for me:

http://en.wikipedia.org/wiki/Public-key_cryptography
http://www.gnupg.org/gph/en/manual.html
http://sixdemonbag.org/cryptofaq.html

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Logo ballot reminder

[Alphax]

Wouter van Heyst wrote:
 On Wed, Nov 29, 2006 at 01:21:20PM -0500, Andrew Myers wrote:
snip
 I hope the election system has been working well for everyone otherwise.
 
 The system was fairly easy to use, the hardest part was deciding how the
 various entries ranked :)
 

I saw something weird where moving entries around didn't preserve the
order that you had put things in... I ended up writing out all the
option numbers on scraps of paper and shuffling them around until they
were in the order I wanted :)

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Two servers...one KeyPair

[Alphax]

Joseph Oreste Bruni wrote:
 Your question is ambiguous. What are you trying to do? Use one key pair
 on two systems, or use two key pairs on two systems?
 
 If the former, simply copy the .gnupg directory to the second system.

That advice is seriously flawed. You do *not* want to copy the
random-seed file!

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Two servers...one KeyPair

[Alphax]

Henry Bremridge wrote:
 On Wed, Nov 29, 2006 at 08:20:06PM +1030, Alphax wrote:
  
 That advice is seriously flawed. You do *not* want to copy the
 random-seed file!

 Just out of interest: why?
 

As someone a lot smarter than me pointed out in a message I can't find
when I suggested just copy the .gnupg directory (and with a bit of
background info thrown in, and I'm not a cryptographer and haven't
really studied the GnuPG internals so I might be wrong):

GPG is a hybrid cryptosystem; messages are (symmetrically) encrypted to
random session keys, which are then (asymmetrically) encrypted to a
number of recipient public keys. Part of the security of the system is
that the session key is random or as close to it as possible; because
GPG will work on many different and varying systems, there is no
guarantee of a system-wide random data source, so you can't just read
from /dev/random or /dev/urandom every time you want a bit of random
data, because it might not exist (and these have their own problems).
So, GPG has it's own internal pseudorandom number generator. In order to
speed things up a bit, it normally has an internal seed of pooled random
data - which it stores in .gnupg/random_seed while it's not using it.
When GPG decides it wants some random data, it generates it using this
file as the seed - so if you know what the random seed file was, it's
(somewhat) easier to predict what the next lot of random data is going
to be. So, you don't want two installations of GPG to have the same
random_seed, because you're going to start producing deterministic output...

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.0

[Alphax]

Aldert Hazenberg wrote:
 
 On Nov 13, 2006, at 4:28 PM, Werner Koch wrote:
 
  A port to Windows might
 eventually be done but as of now I see no reason for it.
 
 
 Hi Werner,
 
 What is your reason for no windows port of 2.0 ?
 Is it a business reason ? Or ideological ?
 

As I understand, technological: the structures used in GPG2 simply don't
exist in W32-land.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to enable a block cipher or hash algorithm for a keypair?

[Alphax]

Crest da Zoltral wrote:
 I searched any documentation i found on the net about how to edit keys,
 but I didn't found a way to enable a different cipher or digest? With
 `gpg --edit-key $key_id showpref` it's only possible to view the
 preferences and `gpg --edit-key $key_id pref` seems only to print the
 prefs in shorter harder to read form. So how can I enable Twofish and
 SHA-512 (without overriding the preferences with --cipher-algo and
 --digest-algo)?

$ gpg --edit-key 0xDEADBEEF
Secret key is available

pub  2048R/0xDEADBEEF  created: 2006-01-01  expires: never usage: SC
   trust: ultimate  validity: ultimate
sub  2048g/0xCAFEBABE  created: 2006-01-01  expires: never usage: E
[ultimate] (1). Person (comment) [EMAIL PROTECTED]

Command setpref h8 h10 h3 h2 s4 s9 s10 s8 s7 z3 z2 z1 mdc no-ks-modify
Set preference list to:
 Cipher: BLOWFISH, AES256, TWOFISH, AES192, AES, 3DES
 Digest: SHA256, SHA512, RIPEMD160, SHA1
 Compression: BZIP2, ZLIB, ZIP, Uncompressed
 Features: MDC, Keyserver no-modify
Really update the preferences? (y/N)

You need a passphrase to unlock the secret key for
user: Person (comment) [EMAIL PROTECTED]
2048-bit RSA key, ID 0xDEADBEEF, created 2006-01-01

Enter passphrase:

Command quit
Save changes? (y/N) y

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG and PGP Compatibility

[Alphax]

Alphax wrote:
re: setting the extension in Enigmail
 I've filed an RFE at
 http://bugzilla.mozdev.org/show_bug.cgi?id=15442.
 

Well, apparantly it's already doable:

 You can set this with the following two preferences in about:config (or in
 Thunderbird via Preferences/Advanced/Config Editor):
 
 extensions.enigmail.inlineAttachExt
 extensions.enigmail.inlineSigAttachExt

Hope that helps,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG and PGP Compatibility

[Alphax]

Conan Purves wrote:
 Hello everybody,
snip
 When I encode attachments, it gives them a .gpg suffix.  My colleagues
 who are using PGP Desktop cannot decode those files.  Though I can
 decode their files, either using the gpgee contextual menu or
 automatically through enigmail.
 
 Practically speaking, is there a solution for this?  My colleagues are
 most likely going to want to continue using PGP Desktop.
 

Although it's only freeware and not open source, GPGShell
http://www.jumaros.de/rsoft/index.html will give you explorer and
system tray integration, and let you use a .pgp extension. I've filed an
RFE at http://bugzilla.mozdev.org/show_bug.cgi?id=15442.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG Outlook Plug-In and Signatures

[Alphax]

Ryan Malayter wrote:

 HTML + OpenPGP = FAIL.

 In English: HTML screws up OpenPGP. You don't want it. There are other
 reasons why you don't want HTML anyway but I won't go into them here.
 
 
 Actually, when I sign an HTML email with GPGOL, and send it to my
 Gmail account, I seem to get this on the receiving end:
 
 1) A plain text version of the message, signed in-line.
 
 2) An attachment of .HTML type, which contains the original unaltered
 HTML message.
 
 3) A second attachment, which is seems to be an ASCII detached
 signature of the first attached HTML file.
 

You just discovered the second reason why HTML email is evil: it sends
everything TWICE. For people still on 33.6kb/s dialup that is a major
inconvenience.

 Does any other OpenPGP client handle this attachment result? Or do
 you need to save the attachments and manually verify the detached
 signature? GPGOL itself doesn't seem to read this exploded format,
 even though it creates it. GPGOL only verifies the plain text version.
 

PGP/MIME capable mail clients /may/ handle it, but you'd have to
actually try it to be certain. Such a test should be conducted off-list
in order to avoid flames for an HTML posting.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Key problem

[Alphax]

Johannes Schmid wrote:
 Hi!
 
 OK, I think I misunderstood something.
 
 Anyway, 'gpg --armor --export [EMAIL PROTECTED]' which should do
 the right the thing ends up with exactly the same error message.
 
 And it seems like I have no really good backup availible, the error is
 in all backups...
 

What version of GPG/PGP did you create your key/backups with? Try using
that version to recover your key.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Howto add ssh keys to .gnupg/sshcontrol?

[Alphax]

Michael Bienia wrote:
 Hello,
 
 I'm having trouble to add my ssh key to a running gpg-agent (started
 with --enable-ssh-support).
 
 The comments in .gnupg/sshcontrol suggests you can do it with ssh-add or
 manually. When I try it with ssh-add I'm asked about my passphrase but
 afterwards ssh-add -l doesn't list it and it also doesn't show up in
 sshcontrol.
 The comment also mentions that one can add it manually by adding a
 keygrip of 40 hex digits. How do I get this keygrip from my ssh key to
 add it manually?
 

I assume you mean fingerprint?

ssh-keygen -l [-f input_keyfile]

-l  Show fingerprint of specified public key file.  Private RSA1
keys are also supported.  For RSA and DSA keys ssh-keygen tries
to find the matching public key file and prints its fingerprint.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Logo suggestions

[Alphax]

Zach Himsel wrote:
snip
 Also, one question. Should the icon be detailed enough to be big
 (like the gmail logo:
 http://mail.google.com/mail/help/images/logo1.gif)? Or should it be
 smaller and less detailed (for use as a program icon or small logo
 (like the small gmail logo, which is the m in the gmail logo by
 itself)?
 
 I was thinking do two versions, maybe have one big and one small
 (like the big Gmail/small m; or the abiword logo which has
 Abiword with the special A which can be used as a logo itself).
 Maybe have the gnu with the lock in a bigger logo (for the website,
 etc.) and then do a smaller, less detailed one with the gnu/lock
 geared more towards program icons (like 16x16 or 32x32 or 64x64).
 
 

Good question. Here's something that came up on another list:

 Two days before the start of conference, in the organizers' office.
  person X is layouting the press kit, searching for highresolution
 versions of all project logos. The project Y logo was available
 only as small image.
 
 Scaled to print resolution, it was 10x12 mm which looked a bit small
 on an DIN A4 page.
 
 person Z had redrawn the project Y logo for a convention,
 unfortunately the file was lost on a broken hard disk. No problem,
 let's just take a digital camera, take a photo from the printout he
 still had, do a little bit of filtering in gimp... So we used a photo
 of a bitmap graphic and, at least for my part, are using it till
 today.
 
 Shall I tell you the story of the t-shirt producer, too, who wanted
 to print the project W logo as a serigraph?
 
 And all this because nobody thought - when the logos were chosen -
 that logos are not just for the upper left corner of website but
 are needed in suitable versions for print as well.

So yes, logos should be available at high resolutions. One easy way to
ensure this is to create them in vector form, eg. as an SVG file.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Create a key without subkey?

[Alphax]

Eike Herzbach wrote:
 Hi,
 
 How do I generate an encryption key with gnupg? I tried some options
 but it always generates me a sign-only key with an encryption subkey.
 I need to receive encrypted financial data from a system that uses
 PGP5. When I send in my key to that system it outputs me the
 following:
 
 [PGP Ausgabeprotokoll]
 Adding keys:
 Key ring: '[EMAIL PROTECTED]'
 Type Bits KeyID  CreatedExpiresAlgorithm   Use
 pub  1024 0xAF7B19C4 2006-09-25 -- DSS Sign only
 sub  2048 0x508FA9D7 2006-09-25 -- Diffie-Hellman
 uid  Eike Herzbach [EMAIL PROTECTED]
 
 Later when the system tries to send me an encrypted message it fails
 and says that it can't encrypt with a Sign-only key. (I guess it is
 not able to use the subkey and only sees the 'outer' key)
 
 Is there a way to fix this in GnuPG? Or do I have to get PGP5 to
 generate such a key?
 

Questions, questions...

What version of GPG are you using?

What options did you try?

What do you want this key to be able to do?

What does GPG tell you about the key?

You probably want gpg --expert --gen-key, select (7) RSA (set your
own capabilities), and to set Sign, encrypt, certify.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DSA2

[Alphax]

Robert J. Hansen wrote:
snip
 I don't know off the top of my head whether DSA supports firewalled hash
 functions or not.  I believe that the last time I checked the spec, I
 came to the conclusion it did not.
 
 RSA signing keys, on the other hand, do support firewalling.
 

Interesting. I'm looking at the official (November 1998) RFC 2440 and
it's not immediately obvious that this is the case; although both the
Version 3 and Version 4 signature packet formats say that the hash
algorithm is part of the body of the packet, it says of RSA signatures:

With RSA signatures, the hash value is encoded as described in PKCS-1
section 10.1.2, Data encoding, producing an ASN.1 value of type
DigestInfo, and then padded using PKCS-1 block type 01 [RFC2313].
This requires inserting the hash value as an octet string into an
ASN.1 structure. The object identifier for the type of hash being
used is included in the structure.  The hexadecimal representations
for the currently defined hash algorithms are:
snip

Note that it's also not immediately obvious what the format of the
signature packet used in a clearsigned message is... I haven't looked at
the working draft of the RFC but hopefully it's a lot clearer than the
published version.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg-users Digest, Vol 36, Issue 8

[Alphax]

C Yohman wrote:
 Carlo's instructions worked. Thank you to everyone else. It works,
 except it failed one test. Is that test important?
 

It's a known issue with building on MSYS. The problem/fix is as follows:

 If you get 'FAIL: conventional-mdc.test' during the check phase of the
 build the problem is caused by dd.exe from coreutils-bin v5.3.0
 Sometimes the test passes sometimes fails.
 

You will need the Cygwin version of dd.exe; you can get it from
coreutils-5.2.1.bin.zip at http://tinyurl.com/jrjmw (Yahoo Groups).

Mica has put up the relevant instructions and files at
http://blueness.port5.com/gpgcvs/ based on the trial-and-error that a
number of people went through to get native building on W32 to work.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP 6.5.8 - PGP 7.7.4 compatability with gpg 1.4.2

[Alphax]

Vidas Makauskas wrote:
 Hi,
 I've been crypting files with gpg 1.2.2 on SUSE8.2 distribution.
 Partners use PGP 6.5.8 - PGP 7.7.4 for decrypting.
 
 I need transfer crypting to SuseEnterpriseServer10 with gpg 1.4.2 by default
 in distribution.
 Problem is, that partners can't decrypt my files now.
 
 Before encryption i export secret key from SUSE8.2:
 gpg --armor --export-secret-keys SECRET SECRET.ASC
 
 and import to SLES10.
 gpg --import SECRET.ASC
 gpg --import PARTNER.PKR - public key
 
 Our partners cant't decrypt my files now.
 PGP use DH/DSS 1024-4096
 GPG use DSA and ElGamal 1024-2048
 How can I check used key formats and change by default?
 How can I be sure what i use DSA and ElGamal 1024-2048 by default?
 

There are compatibility options you can set in GPG via either the
command line or ~/.gnupg/gpg.conf (-- is removed for config files):

Use --pgp6 or --pgp7 depending on which version of PGP they are using.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Help! Gnupg can't run in php program

[Alphax]

Simon Ruderich wrote:
 
snip

Enigmail gave me

gpg: unexpected armor: -BEGIN PGP SIGNED MESSAGE-\n
gpg: invalid radix64 character 3A skipped
snip
gpg: CRC error; 31D9CE - A8932B
gpg: [don't know]: invalid packet (ctb=1d)

GPGShell validated your sig ok, as did copy/pasting onto the command
line. Something funny going on with Apple Mail?

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sig!3 entry vs sig! entry on certain GnuPG keys from the PuTTY software site

[Alphax]

[EMAIL PROTECTED] wrote:
 The web site for the PuTTY software provides GnuPG keys to verify
 downloads of the PuTTY software. see
 http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html
 
 With these keys imported into the GnuPG public keyring, issuing gpg
 --check-sigs produced the following output (the user name has been
 redacted):
 
snip
 
 For the self-signatures on the DSA-type keys (and only the DSA-type
 keys) there is a sig!3 entry instead of a sig! entry. The other
 signatures on the DSA-type keys just have a sig! entry. It has been
 said elsewhere that the 3 in the sig!3 entry indicates a
 certificate check level of 3. However, the 3 does not appear on the
 self-signature entries for the RSA-type keys. Is this to do with the
 key types (the DSA type and the RSA type), the way that the keys were
 created and/or signed, or some other reason?
 

It's to do with the way the keys were signed at the time they were
generated.

There is a default certification level option that can be used either
on the command line or in a config file - normally GnuPG will ask you
for the certification level when you sign a key, but the default /can/
be used if the right options are set, and /will/ be used at the time of
key generation.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]

[Alphax]

Robert J. Hansen wrote:
 Janusz A. Urbanowicz wrote:
 You can't read a private key from the smartcard, but you can read it 
 from the flashdrive. SC is a crypto processor + storage, flashdrive
 only storage.
 
 All of which is true.  However, the bit to which I was replying was:
 
 A smartcard is very convenient as far as it's a multi application
 device, so you can store much other info apart from GnuPG keys, i.e.
 Mozilla passwords or such.
 
 ... And I'm still trying to figure out how that's different from a flash
 drive.  Maybe there is a difference and I'm not seeing it.  Or maybe
 there isn't one.
 

I don't use a flash drive or a smartcard, for the following reasons:

- Flash drives are too prone to failures at bizzare moments
- Smartcards are largely experimental and don't have the instant
usability of a USB stick

(/me mutters something about The right tool for the right job...)

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem retrieving encrypted email

[Alphax]

1wing-angel wrote:
 I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail
 issue. I'm assuming it's Thunderbird's problem. I also don't know if I
 should post this to you guys or Thunderbird or Enigmail, but anyway I hope
 this is the right place. 
 
 So far everything is working ok, BUT whenever I send a Signed and
 Encrypted email to myself, it goes through Gmail but I can't receive it
 with my Thunderbird email client.
 
 When I log onto my Gmail account, the signed and encrypted email is there in
 my inbox, but when I try to retrieve the message from my Thunderbird email
 client, it doesn't work. It doesn't give me any error messages or anything.
 
snip

I belive it's actually an issue with Gmail.

Suppose you send an email (via Gmail's web interface or their SMTP
server) to a mailing list. The mailing list will send a copy of the
message back to you (if you've enabled it); however, Gmail recieves it
and says Oh, you already sent that, I won't bother delivering it to
you. I'm not sure if it ever appears in your inbox, but it won't be
forwarded by any filters, and it probably won't be accessible via the
POP3 interface either.

I'm fairly certain that the behaviour is identical for sending an email
to yourself.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG and 1024-bit (or multiple) subkeys

[Alphax]

Werner Koch wrote:
 On Tue, 15 Aug 2006 21:09, Johan Wevers said:
 
 keys larger than 2048 bits but hacked versions exist that ganerate 16k
 keys). Is there such a limitation in gpg, or can I happily use a 128k
 RSA or El Gamal key with no other problems than them being very slow?
 
 The only limitations I am aware of are the amount of random you may
 get by one call and that the key as well as intermediate results need
 to fit into the allocated secure memory.
 

I can verify this; the key generation size limit is currently set to
4096 bits, but can be increased to 8192 bits without too many problems.
Someone reported that they were able to generate keys of 11296 bits
(they are painfully slow to use), but for much more than that you get
errors like

|gpg: out of secure memory while allocating 5108 bytes
|gpg: (this may be caused by too many secret keys used simultaneously
|or due to excessive large key sizes)

Now, although it can't generate keys that big, GPG can *use* a key of
16384 bits (presumably generated with one of Disastry's PGP 2.6.3
builds); again, operations involving such keys are painfully slow and
not worth the effort.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Security of truncated hash functions

[Alphax]

Qed wrote:
 Suppose you need a 160 bit digest.
 You can choose RIPEMD160/SHA1 or a truncated version of a bigger one
 (e.g.: SHA2 family).
 Which solution would be safer?
 Is a digest algo designed for a given length stronger than a truncated
 longer one?
 

Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll
assume that you're asking about using the DSA2 option to use truncated
hashes with DSA keys that have q=160.

Now, I could be completely wrong, but common sense seems to suggest
that there's no reason why it's any safer; in fact, you may be worse off.

The reasoning for this answer is as follows: since DSA OpenPGP keys
don't have a hash function firewall, it just gives an attacker more
oppurtunities to find a hash collision; instead of having to pick from
SHA1 and RIPEMD160 as the hash algorithms to pick a colliding message
digest from, they can now add the SHA2 family of algorithms to their
choices; plus, instead of having to collide 160/160 bits, they now only
have to collide 160/{224,256,384,512} bits.

Again, I could be completely wrong, but that's what common sense seems
to suggest.

 I googled, but I found only
 http://www.schneier.com/blog/archives/2005/10/nist_hash_works_3.html
 I know that sci.crypt would be a better place to ask this question, but
 I don't like it.

You could also ask at PGP-Basics :)

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to verify the file was successfully encrypted...

[Alphax]

George Ross wrote:
 BTW, why are you encrypting these files anyway?  If someone broke into 
 your computer they could just steal the crypto key too.
 Excellent question!  Truth be told, as soon as they are encrypted,
 they're being moved to another server in another location, and then are
 being burned to CD and moved to a safety deposit box.
 
 How about if you append a hash of the file to the file, and encrypt that 
 too?  Then have the remote machine do the trial decrypt-and-check-hash.  If 
 all is OK the remote machine can then tell the local one to delete the 
 original; and if it's not OK, it can scream at you.
 

Better than that, if you get GPG to sign the file when it encrypts it
(using a passwordless key/subkey) and/or use the MDC option, you'll be
able to do this more reliably...

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to verify the file was successfully encrypted...

[Alphax]

Benny Helms wrote:
 On Wed, 2006-07-12 at 15:13 -0400, Jeffrey F. Bloss wrote:
 Benny Helms wrote:

 snippage
 
 Don't know if this will help or not, but I just did a quick test with
 GnuPG 1.4.4 and the --dry-run command line switch seem to work fine.
 Outputs to stdout rather than writing a file to disk.  I changed a
 single bit in an encrypted (armored) file and tried it, and got a CRC
 error without entering any pass phrase at all. 

 That's with -vv set in my options file, FWIW. And bleeding edge
 hash/cypher algorithms.

 Additionally, you can enter a pass phrase on the command line with the
 --passphrase switch. I tested it with both known good and known bad
 encrypted files, and if you enter a bogus/incorrect pass phrase for a
 known good file you get a bad passphrase error. With a known bad
 encrypted file you get the same CRC error. Neither one requires any
 user input, which is what you want.

 IOW, if you...

  gpg -d --dry-run --passphrase boguspassphrase bad-file.asc 

 You get the CRC error, but if you...

  gpg -d --dry-run --passphrase boguspassphrase good-file.asc

 You get the bad passphrase.

 The down side is, both are exit code '2', so you'd have to grep for the
 verbal response to tell the difference. But that's not a major hurdle
 and it should be trivial to if $? grep return codes into something
 useful.

 The other down side is this doesn't explicitly tell you if you have a
 *good* encrypted file, it only picks out a couple errors. To do that
 you'd have to either be sitting there entering pass phrases, or include
 them in your script. Probably not where you'd want to go with this. :(
 
 Thanks Jeffrey.  Excellent suggestion.  This worked well with a .asc
 file, but not with a .gpg file.  Does anyone on the list have a
 preference for .asc vs .gpg output?  Pros?  Cons?  The size is almost
 twice as big as a .gpg at this time, which is a definite con.  But there
 are probably some serious pros as well.  Input?
 

.asc files are immune to mangling of CR/LF characters which may be
present in binary data, which often happens when you transfer via email
or FTP.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Alphax]

Michael Kallas wrote:
 David Shaw schrieb:
 I've been away on vacation and only picked up this thread now.  This
 statement is not correct.  Back in the PGP 2.x days, this might have
 been true, but with OpenPGP, there is no particular requirement that
 the ability to sign and the ability to decrypt are connected.  You can
 have a shared key with separate capabilities.

 Sending an signed key via encrypted mail does not ensure anything
 about the key owner.
 Why not?
 Sorry, this conclusion was too fast for me, could you please explain a
 little bit?
 

Suppose you send an email to Address W and encrypt an authentication
token to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.

This tells you that /someone/ with access to W has recieved a message;
/someone/ with access to X has decrypted it; /someone/ with access to Z
has signed a reply; and /someone/ with access to Y has sent a reply.

Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may or
may not have been faked (which is trivial).

The owners of W, X, Y and Z could be four different people, or they
might not be people at all; all you can really say about the key owner
is that X is in contact with W and Z, and Z is in contact with X and Y.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyring Directory

[Alphax]

Jeffrey F. Bloss wrote:
 Bob Henson wrote:
 
 Would someone kindly confirm the gpg.conf line for setting the
 keyring directory elsewhere than the standard one, please. As far
 as I can see, the --homedir command sets the directory for the
 executable files, but I'm not sure what to set to move the keyrings
 to another path to the standard (Win XP) path of ./application
 data/gnupg. Maybe it's an environment variable needs setting?
 
 snip
 
 Sorry for the out of sequence reply, just joined the list. :)
 
 I think what you want is actually a series of entries in your options
 file. This works under Linux with a thumb drive, maybe you can get it to
 work under Windows(?) by just changing the paths to the keyrings.
 
 # Begin - Set keyrings to flash drive
 no-default-keyring
 keyring /mnt/cruiser/.gnupg/pubring.gpg
 secret-keyring /mnt/cruiser/.gnupg/secring.gpg
 # End.
 
 

Yes, that will work with gpg.conf on Windows too:

# disable default pubring.gpg and secring.gpg
no-default-keyring
#
# set the public keyring to use
keyring c:\documents and settings\username\application
data\gnupg\some-other-pubring.gpg
#
# set the keyring to import keys into
primary-keyring c:\documents and settings\username\application
data\gnupg\some-keyring-to-import-to.gpg
#
# set the secret keyring to use
secret-keyring c:\documents and settings\username\application
data\gnupg\some-other-secring.gpg
#
# set the trustdb to use
trustdb-name c:\documents and settings\username\application
data\gnupg\some-other-trustdb.gpg

Note that on Windows paths are case insensitive, and unlike in the
registry, backslashes do not need to be escaped and paths with spaces in
them do not need to be quoted :)

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyring Directory

[Alphax]

Bob Henson wrote:
 Would someone kindly confirm the gpg.conf line for setting the keyring
 directory elsewhere than the standard one, please. As far as I can see,
 the --homedir command sets the directory for the executable files, but
 I'm not sure what to set to move the keyrings to another path to the
 standard (Win XP) path of ./application data/gnupg. Maybe it's an
 environment variable needs setting?
 

From the manpage:

--homedir directory
  Set  the  name  of  the  home  directory to directory If this
  option is not used it defaults to  ~/.gnupg.  It  does  not
  make sense to use this in a options file. This also overrides
  the environment variable $GNUPGHOME.

However, the best fix on Windows is in the registry:

[HKEY_CURRENT_USER\Software\GNU\GnuPG]
HomeDir=C:\\Documents and Settings\\Username\\Application Data\\GnuPG
OptFile=C:\\Documents and Settings\\Username\\Application
Data\\GnuPG\\gpg.conf

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Interesting error message on import

[Alphax]

On importing a large number of keys from a keyring backup, I saw the
message gpg: assuming bad signature from key 0xE0BB4BCD due to an
unknown critical bit about a dozen times. Can anyone explain what this
means, whether this is the correct behaviour, and if I should be worried
about it?

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Moving to another computer

[Alphax]

Robert J. Hansen wrote:
 Matthew West wrote:
 Hi, I have all of my gnupg information set up on this current machine.
 How would I transfer my information to another computer. Is it fine to
 use the same information on both computers?
 
 Copy ~/.gnupg/* to your other computer; specifically, trustdb.gpg,
 secring.gpg, pubring.gpg, gpg.conf.
 
 Please don't follow this advice.
 
 Copying your entire .gnupg/ directory will also copy random_seed.  You
 don't want random_seed to be shared between two computers.  That could
 potentially result in a session key not being a one-time thing.  If two
 computers share a random seed file, the chances of their random
 sequences being not-at-all-random increases.
 
 By all means, copy *.gpg and gpg.conf.  Leave random_seed alone.  You'll
 be happier that way.
 

*thunk*

Yeah, I should have thought of that... that's what comes of posting just
before lunch.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP to GnuPG

[Alphax]

Ash M wrote:
 Hi,
 
 I am working on a project to convert PGP keys to GnuPG.
 Most of the keys created recently have successfully been migtated but I am
 unable to migrate the ones created using PGP Version: 4.0 Business Edition.
 
 The error I get is: ( gpg version 1.4.2 )
   $ gpg --import pubkey.pub.asc
   gpg: WARNING: using insecure memory!
   gpg: please see http://www.gnupg.org/faq.html for more information
   gpg: key 390CA571: no valid user IDs
   gpg: this may be caused by a missing self-signature
   gpg: Total number processed: 1
   gpg:   w/o user IDs: 1
 
 Following is the output from pgp for the same key:
   $ pgp -kvv 0x390CA571
   Looking for user ID 0x390CA571.
   Type bits  keyID  Date   User ID
   RSA  1024  0x390CA571 2003/09/24 KKK one_e05
   sig0xCC7AB923 MFF user [EMAIL PROTECTED]
   1 matching key found.
 
 I have heard that there are compatibility issues between GnuPG and older
 versions of PGP but is there any way of getting around this ?
 Any help would be well appreciated.
 

If you still have the secret key, you can have the key sign itself and
then this error will not occur. Otherwise, you can use the option in GnuPG

--allow-non-selfsigned-uid

to import the key, and then have it sign itself.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: False Decrypt Error...

[Alphax]

Eric Robinson wrote:
 Hello David, Thanks so much for responding...
 
 We have switched from PGP to GPG and we have some of our customers
 are still using PGP,
 
 ¨PGPÁÀNŠˆæ °  is the first part of the message.
 
snip

Ask your customers to make sure their messages are ASCII-armored - not
sure how to set this with the PGP GUI versions, but for the command line
version the manual says:

 To produce a ciphertext file  in  ASCII  radix-64  format,
 just  add  the -a option when encrypting or signing a mes-
 sage or extracting a key:
 pgp -sea textfile her_userid
 pgp -kxa userid keyfile [keyring]

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP zip

[Alphax]

Todd Zullinger wrote:
 Snoken wrote:
 Hi,
 I cannot find any gpg-zip-program after installing GnuPG
 1.4.3 for Windows.
 
 The announce message tells:
 
 Added gpg-zip, a program to create encrypted archives that can
interoperate with PGP Zip.
 
 On my linux system, gpg-zip is a shell script.  I'm guessing that it's
 not installed on windows because there isn't an sh compatible shell
 there.  Perhaps if you were using cygwin you could get it to work, but
 I don't know.
 

Minimum requirement is MSYS http://www.mingw.org/msys.shtml, which is
a small set of the Cygwin tools. Never used gpg-zip myself though.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPGFiletool does not find all keys in my keychain

[Alphax]

Pehr Jansson wrote:
 I am trying to use the GPGFiletool on Mac OS X to encrypt a file for a
 particular recipient.  However, it does not show that person as being
 available.  Other tools, e.g., GPG in the terminal window, or the GPG
 Mail plug in, have the recipient's key.  Why does GPGFiletool not find it?
 

Is the key trusted?

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: set owner trust from a script

[Alphax]

Nicolas Rachinsky wrote:
 Hallo,
 
 what is the best way to set the owner trust of a key from a script?
 

I've actually played around with this...

To do ownertrust stuff:

gpg --list-keys --with-colons --with-fingerprint

grep ^fpr

The fingerprint format is:

fpr:(fingerprint):

The ownertrust format is:

(fingerprint):(trust):

where trust is:

0: (not settable)
1: expired (not sure what this means)
2: undefined
3: none
4: marginal
5: full
6: ultimate
128: disabled

If you want to set all valid keys with unspecified trust to marginal trust:

gpg --list-keys --with-colons --with-fingerprint `gpg --list-keys \
--with-colons | grep pub:f:.*:-: | sed -r -e \
's/pub:f:[0-9]+:[0-9]+:([A-F0-9]+):.*/0x\1/'` | grep ^fpr: \
| sed -r -e 's/fpr:([0-9A-F]+):/\1:4:/' | gpg --import-ownertrust

Note that this isn't entirely foolproof and may have unintended
consequences - make backups of your keyring(s) and trustdb first. I've
mainly used it semi-automatically where I check the status of some keys,
run the script, and then re-check the status of the keys.

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg plaintext encryption?

[Alphax]

eruistonuena wrote:
 I've been using gpg no for a while and I've always wondered why it says go
 ahead and type your message if you run gpg without any commands or options.
 
 does it encrypt text or something?

It waits for you to give it some sort of data. For example, if you were
to do (on Windows):

 $gpg
 gpg: Go ahead and type your message ...
 The quick brown fox jumps over the lazy dog.
 ^Z

It replies:

 gpg: no valid OpenPGP data found.
 gpg: processing message failed: eof

But if you do something like:

 $gpg
 gpg: Go ahead and type your message ...
 -BEGIN PGP MESSAGE-
 Version: GnuPG v1.4.4-svn4147:IDEA-TIGER192-DSA2 (MingW32)

 owNCWmg2MUFZJlNZMOjPVwAAGt+EQBJAAQUABAAEADCACCAAUMMjAmmBMhia
 MDGagAGRoNHpHhS4KdS4JwsGCri7t74sjMbZF0dHjGpIH+kEBMETOdUX5fxdyRTh
 QkDDoz1c
 =5OsL
 -END PGP MESSAGE-
 ^Z

You get:

 The quick brown fox jumps over the lazy dog.

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg plaintext encryption?

[Alphax]

Zach Himsel wrote:
 ok... i got ya. how would i get the encrypted text in the first place.
 because i know armored encryption can encrypt text files, but that wouldn't
 work, would it? how could you encrypt text directly?
 

With something like:

 gpg -a -e -r 0x5B0358A2 -r 0xB1E06496
 The quick brown fox jumps over the lazy dog.
 ^Z

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: tar file for version 1.4.3--- bad signature?

[Alphax]

Charles Blair wrote:
   I am unable to verify the gpg 1.4.3 tar file.  Can
 somebody tell me what I am doing wrong?
 
I have downloaded the files:
 
 -rw-r--r--   4354218 Apr 26 17:54 gnupg-1.4.3.tar.gz
 -rw-r--r--   158 May  1 19:13 gnupg-1.4.3.tar.gz.sig
 
When I tried gpg --verify gnupg-1.4.3.tar.gz.sig
 using version 1.4.1, I got:
 
 gpg: Signature made Mon 03 Apr 2006 05:42:26 AM CDT
 using RSA key ID 1CE0C630
 gpg: BAD signature from
 Werner Koch (dist sig) [EMAIL PROTECTED]
 
   The key was downloaded from the MIT keyserver:
 
 pub   1024R/1CE0C630 2006-01-01 [expires: 2008-12-31]
   Key fingerprint =
  7B96 D396 E647 1601 754B  E4DB 53B6 20D0 1CE0 C630
 uidWerner Koch (dist sig) [EMAIL PROTECTED]
 
 

Try the .bz2 version - at my end it has checksums of:

MD5 = D2 37 D8 FE 1C 4A FA 37  9F 56 DB DA 0E 0B 40 E4
SHA1 = 9E96 B36E 4F4D 1E8B C502  8C99 FAC6 7448 2CBD B370
RMD160 = F6D3 2878 5F41 B74F 97D2  5305 C6FE 95AD 45BB 70A5

Of course, you should check the detached sig for that one rather than
trust me on it... :)

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: auto-key-locate

[Alphax]

Simon Josefsson wrote:
 Werner Koch [EMAIL PROTECTED] writes:
 
 * New auto-key-locate option that takes an ordered list of methods
   to locate a key if it is not available at encryption time (-r or
   --recipient).  Possible methods include cert (use DNS CERT as
   per RFC2538bis, pka (use DNS PKA), ldap (consult the LDAP
   server for the domain in question), keyserver (use the
   currently defined keyserver), as well as arbitrary keyserver
   URIs that will be contacted for the key.
 
 I'm having trouble getting hkp keyservers to work with
 auto-key-locate.  gpg do appear to retrieve the key successfully, but
 then it complains that it can't use it.  Ideas?
 
 ~/.gnupg/gpg.conf contains:
 
 auto-key-locate x-hkp://subkeys.pgp.net
 
 [EMAIL PROTECTED]:~/src/gnupg$ gpg -a -e -r [EMAIL PROTECTED]
 gpg: searching for names from hkp server subkeys.pgp.net
 gpg: key 99242560: public key David M. Shaw [EMAIL PROTECTED] imported
 gpg: key 3CB3B415: public key David M. Shaw [EMAIL PROTECTED] imported
 gpg: key D46DCCC5: David M. Shaw (High Security) [EMAIL PROTECTED] not 
 changed
 gpg: key DFF20E79: public key David M. Shaw [EMAIL PROTECTED] imported
 gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
 gpg: depth: 0  valid:   4  signed:  21  trust: 0-, 0q, 0n, 0m, 0f, 4u
 gpg: depth: 1  valid:  21  signed:  43  trust: 1-, 0q, 0n, 1m, 19f, 0u
 gpg: depth: 2  valid:  29  signed: 223  trust: 24-, 0q, 0n, 0m, 5f, 0u
 gpg: depth: 3  valid:  24  signed: 158  trust: 24-, 0q, 0n, 0m, 0f, 0u
 gpg: next trustdb check due at 2006-07-10
 gpg: Total number processed: 4
 gpg:   imported: 3  (RSA: 3)
 gpg:  unchanged: 1
 gpg: automatically retrieved [EMAIL PROTECTED]' via x-hkp://subkeys.pgp.net
 gpg: [EMAIL PROTECTED]: skipped: unusable public key
 gpg: [stdin]: encryption failed: unusable public key
 [EMAIL PROTECTED]:~/src/gnupg$ gpg -a -e -r [EMAIL PROTECTED]
 gpg: 1643B926: There is no assurance this key belongs to the named user
 
 pub  2048g/1643B926 2002-01-28 David M. Shaw [EMAIL PROTECTED]
  Primary key fingerprint: 7D92 FD31 3AB6 F373 4CC5  9CA1 DB69 8D71 9924 2560
   Subkey fingerprint: F0EC 51D9 2ED0 C183 8977  DDD0 AE28 27D1 1643 B926
 
 It is NOT certain that the key belongs to the person named
 in the user ID.  If you *really* know what you are doing,
 you may answer the next question with yes.
 
 Use this key anyway? (y/N)
 

Have you tried it with

trust-model always

in your gpg.conf? The key you're trying to encyrpt to probably isn't
within your trust path.

 Btw, DNS CERT retrieval work fine, see:
 

Oh yes, congrats on RFC 4398.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Getting KMail to let me encrypt to an unsigned key?

[Alphax]

Adam Funk wrote:
 On 2006-05-15, Ingo Klöcker [EMAIL PROTECTED] wrote:
 
snip
 I'm running the Debian kmail 3.3.2-3 package and gpg 1.4.3 compiled
 from the source.

 As far as I can tell, it flatly refuses to let me encrypt a message
 to any key that doesn't have a signature chain back to a trusted key.
  I can see the usefulness of a warning about doing this, but I've
 accidentally sent a message unencrypted while trying to find a way
 around the problem.

 Is there any way to override this restriction?


 No, but there's a corresponding (and already very old) wish in KDE's bug=20
 tracking system (bugs.kde.org).
 
 Would lsign-ing the key circumvent the problem?

Yes.

 Would it cause any other problems?
 

You will be asked to set an ownertrust value...

It might be worth trying to find an actual trust path using Wotsap
(http://www.lysator.liu.se/~jc/wotsap/) or similar as well as lsigning
the key, but YMMV.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Retrieving keys via v3 fingerprint

[Alphax]

David Shaw wrote:
 On Wed, May 03, 2006 at 01:45:15AM +0930, Alphax wrote:
 How does one get keys from a keyserver when only the v3 fingerprint is
 known? I recovered the fingerprints from a trustdb (they had 
 appended), but I can't work out how to get them off a keyserver...
 
 You can't.  It would require the keyserver to be able to retrieve by
 v3 fingerprint and none can.
 

So, why does GPG store trustdb entries in this manner? I had a situation
where my keyring died, but my trustdb was intact... is there no way to
recover those keys? I still have the old keyring...

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Retrieving keys via v3 fingerprint

[Alphax]

How does one get keys from a keyserver when only the v3 fingerprint is
known? I recovered the fingerprints from a trustdb (they had 
appended), but I can't work out how to get them off a keyserver...

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: USB Drive Use

[Alphax]

Sarixe Avaliesz wrote:
 John W. Moore III wrote:
 If you mean GPG then Yes there is.  Check out GPG 2 GO on my Homepage:

 http://tinyurl.com/9ubue

 JOHN :-D
 Timestamp: Wednesday 26 Apr 2006, 18:54  --400 (Eastern Daylight Time)
 No, I mean GPA.  I already have successfully installed GPG on my USB
 device.  It's GPA (GNU Privacy Assistant).  Actually, It doesn't need to
 be GPA, I'm just looking for a portable frontend to GPG that I can
 install on the USB device and use on multiple computers.  One of these
 computers has the users configured in such a way that the privileges are
 very limited, thus I can't have anything with a registry value, etc.
 Any suggestions?

For a multi-environment setup, the Java-based Occulti suite
(http://sourceforge.net/projects/occulti) might be an option. Of course,
it's still in beta, and I've never used it, and I have no idea if it
would work on a USB device, but it's worth a try...

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Clear all signatures on key?

[Alphax]

Tech wrote:
 
 Hello,
 
 I'm trying to figure out how to remove all signatures from all my GPG
 keys. I've RTFM but I've missed something I'm afraid. Here is what I am
 seeing:
 
 1. Type gpg --list-keys and I get a list of my keys. ([EMAIL PROTECTED] is a
 fake email address for the sake of this post...)
 
 2. I type gpg --edit-key [EMAIL PROTECTED]
 
 I am now in edit mode
 
 Command list
 
 (I get my key information)
 
 Command uid 1
 
 (I then select my key)
 
 Command Delsig
 Nothing deleted.
 
 Command Minimize
 User ID My Key etc etc:
 already clean.
 
 Command check
 uid My Key etc etc
 1 user ID without valid self-signature detected
 
 Command quit
 
 
 
 3. I type 'gpg --list-sigs and I get a list of keys thusly:
 
 C:\Documents and Settings\Administratorgpg --list-sigs
 h:/gnupg-keys\pubring.gpg
 -
 pub   1024D/ 2005-08-10
 uid  My Key (Email Encryption/Signing Key) [EMAIL PROTECTED]
 sub   4096g/ 2005-08-10 [expires: 2006-08-10]
 sig   2005-08-10  My Key (Email Encryption/Signing Key)
 [EMAIL PROTECTED]
 
 
 
 Question: What signature is listed there that is reported from my
 --list-sigs command? What have I missed? I would think I have no
 signatures installed on my key?
 

The signature listed in on the subkey, not the UID; this signature
binds the subkey to the primary. Note that by default GPG will not
like the fact that a UID doesn't have a valid self-signature; a
self-signature on a UID binds the UID to the key itself. If it were
not for selfsigs ike this, it would be trivial for someone to inject
their own UID (with your name, but a different email address) into their
copy of your key and then upload it to eg. a keyserver. You should
probably edit your key and re-sign it by using the sign command.

HTH,
-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: newbie: --edit-key problem

[Alphax]

Michael D. Berger wrote:
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of John W. Moore III
 Sent: Tuesday, April 18, 2006 7:30 PM
 To: GnuPG Users List
 Subject: Re: newbie: --edit-key problem


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 This is also from the Manual and should help set your prefs 
 in gpg.conf.

 - --personal-cipher-preferences string
Set  the  list of personal cipher preferences to string, this
list should be a string similar to the  one  printed  by  the
command  pref  in  the  edit menu.  This allows the user to
factor in their own preferred algorithms when algorithms  are
chosen via recipient key preferences.  The most highly ranked
cipher in this list is also used for the --symmetric  encryp-
tion command.


 Remember, when placing Commands into gpg.conf the '--' prefix 
 is omitted.

 JOHN ;)
 [...]
 
 --personal-cipher-preferences string
 
 did not seem to work either in the config file (without --) or in a
 command line.  It was seen, however, since a misspelling resulted
 in a diagnostic.
 
 I ultimately was able to add blowfish to my preferences with:
 
gpg --edit-key mdb00
   setpref BLOWFISH followed by the things that were already there, no
 commas
   confirm that I really want to do it
   supply passphrase when asked
   ignore output suggesting passphrase was not seen -- it was
 
 It is noteworthy that the 3DES cipher cannot be removed by this
 procedure, while any other cypher can.  I wonder why this is.
 

The OpenPGP spec (RFC 2440) says that 3DES is *required* for a cipher
algorithm; it is mandatory that programs complying to the RFC implement
3DES as a cipher algorithm, DSA and Elgamal for keys, and SHA-1 for a
hash function.
http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Feature_comparison sums
it up pretty neatly.

-- 
Alphax
Death to all fanatics!
  Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: auto-key-locate pka (gpg version 1.4.3)

[Alphax]

David Shaw wrote:
 On Sun, Apr 09, 2006 at 06:16:14PM -0400, John A. Martin wrote:
 ds == David Shaw
 Re: auto-key-locate pka (gpg version 1.4.3)
  Sat, 8 Apr 2006 20:11:48 -0400
 ds This means that the build of GnuPG you has no DNS support (pka
 ds and cert require DNS support, and ldap and keyserver don't).

 Wouldn't it be nice if 'gpg --version' printed a list of the features
 available in the version supported and not-supported by the
 executable?
 
 That's a good idea.  I'll look at doing that.
 

Will that also include undocumented features like --enarmor?

-- 
Alphax
Message composed: 2006-04-10T15:19:27+09:30

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem decrypting large file.

[Alphax]

Peter C. Chapin wrote:
 Hello! I've googled a bit on this problem but I have not so far found
 anything helpful.
 

http://lists.gnupg.org/pipermail/gnupg-users/2005-September/026646.html

http://lists.gnupg.org/pipermail/gnupg-users/2005-October/027259.html

http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028073.html

and their replies.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error: unusable public key

[Alphax]

Daniel Carrera wrote:
 Hello,
 
 I'm having another problem, again not in the FAQ:
 
 sql.gz: encryption failed: unusable public key   
 
 This happens when I try to encrypt a file with my public key.
 
snip
 /path/to/.gnupg/pubring.gpg
 
 pub  1024D/42713DE9 2006-03-21 Daniel Carrera [EMAIL PROTECTED]
 sub  2048g/F2EB9C97 2006-03-21
 
 
 I am trying to encrypt with the following command:
 
 $ gpg -a --homedir /path/to/.gnupg -r [EMAIL PROTECTED] --batch -o
 sql.asc -e sql.gz
 
 Note: The '-e sql.gz' is for testing. I'll replace this by a pipe later.
 
 When I run this command from a PHP script I get this error:
 
 gpg: F2EB9C97: There is no indication that this key really belongs to
 the owner
 gpg: sql.gz: encryption failed: unusable public key
 

You haven't specified that the key is trusted in the local trustdb.
You'll need to either remote login and:

$ gpg --edit 0x42713DE9

Command trust

Please decide how far you trust this user to correctly verify other
users' keys
(by looking at passports, checking fingerprints from different sources,
etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

or add the option

--trust-model always

to your gpg exectution command, ie.

$ gpg -a --homedir /path/to/.gnupg --trust-model always -r
[EMAIL PROTECTED] --batch -o sql.asc -e sql.gz

or add

trust-model always

to your .gnupg/gpg.conf file.

HTH,
-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problem removing a public key whose private key is gone

[Alphax]

Jeremiah Foster wrote:
 On Tue, 2006-03-07 at 19:35 -0500, Atom Smasher wrote:
 
On Tue, 7 Mar 2006, Jeremiah Foster wrote:

snip
 
if you have any doubts about doing it right, or if you're having a bad 
day, backup the keyring before trying to delete anything from it.

if no one else has a copy of the key, you're done. if the key is in 
circulation among key-servers (and if you don't have a revocation 
certificate) you're beat.
 
 
 The key is on key servers and I do not have a revocation cert. Would you
 elaborate on beat?  
 

Sore out of luck. People will keep using the key which is on the key
server, and you will be unable to do anything except reply Sorry, I
lost that secret key, can't decrypt, here is my new key.

This is why it is *very* important to have both a backup of you secret
keys  a revovation certificate.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: decription directly from texteditor

[Alphax]

smiling molecule wrote:
 hallo together,
 
 i am searching for a texteditor whicht can directly safe enecripted
 files with gnupg or which can directly open and decrypt textfiles.
 
 is there any plugin for example for scite or so which can do this?
 

Only if you can write a Lua extesion for it :)

 i dont want to decrypt files first and than open them. i want to do
 this in one step.
 

If you're on W32 you can try GPGShell which has an edit clipboard
function available from the tray. Otherwise KGPG etc.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Global Deb/XP keys from Deb partition ?

[Alphax]

Adam Bogacki wrote:
 Hi, having seen a reverse example at 
 
 http://lists.gnupg.org/pipermail/gnupg-users/2003-July/019421.html
 
 I attempted
 
 Tux:~# /usr/bin/gpg
 gpg: Go ahead and type your message ...
 gpg --armor --export mykey  mykey.asc
 
 .. where it hung.
 

Running gpg with no arguments assumes that you're either going to type
something to sign/encrypt (followed by ^D) or paste a signed/encrypted
blob which it will verify/decrypt. You need:

# gpg --armor --export mykey  mykey.asc

HTH,
-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenLDAP schema to store OpenPGP keys?

[Alphax]

Walter Haidinger wrote:
 On Tue, 21 Feb 2006, David Shaw wrote:
 
 
If GnuPG could also store secret keys (btw, can it? have never checked)

It's theoretically possible, but no keyserver works that way.
 
 
 Probably not for HTTP keyservers, but for LDAP offering strong
 authentication and TLS/SSL?
 
 A remotely accessible, single storage of secret keys could be quite 
 useful for some people. You wouldn't be required to carry the secret 
 keyring with you on usbsticks or else anymore. When I think about it,
 probably a better use for LDAP capabilities than to store public keys...
 
 Perhaps something to add in the future?
 (feature request ;-)
 

Isn't this what Kerberos was designed for?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: file encryption and integrity check

[Alphax]

Francesco Turco wrote:
snip
 i have disabled compression becouse files i have to encrypt are already
 compressed, and compression takes much more time then encryption.
 
 do you think it is a good choice?
 

IIRC GnuPG will detect if data is compressed before it tries to compress
it; if so, it won't try to.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cURL keyserver handlers broken

[Alphax]

David Shaw wrote:
 On Sun, Feb 19, 2006 at 11:24:40PM +1030, Alphax wrote:
 
 
Host:   sks.keyserver.penguin.de
Command:SEARCH
gpgkeys: HTTP URL is
`http://sks.keyserver.penguin.de:11371/pks/lookup?op=indexoptions=mr
search=Alphax'
?: localhost: Unable to connect: ec=0
gpgkeys: HTTP search error 7: couldn't connect: No error
 
 
 That looks correct so far.  I don't suppose you have an environment
 variable http_proxy set?
 

Yes, but I thought that --no-options would disable it... also, I've
tried using an options file without the proxy-enabling options...

So that's the problem eh? Any way to get around it? Should I just move
all http-proxy stuff to config files?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cURL keyserver handlers broken

[Alphax]

David Shaw wrote:
 On Mon, Feb 20, 2006 at 01:52:40AM +1030, Alphax wrote:
 
David Shaw wrote:

That looks correct so far.  I don't suppose you have an environment
variable http_proxy set?


Yes, but I thought that --no-options would disable it... also, I've
tried using an options file without the proxy-enabling options...

So that's the problem eh? Any way to get around it? Should I just move
all http-proxy stuff to config files?
 
 
 If you set keyserver-option no-http-proxy, the proxy will be
 disabled, even if you have the environment variable set.
 

Thanks, works like a charm. Added to my config file.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cURL keyserver handlers broken

[Alphax]

David Shaw wrote:
 On Sun, Feb 19, 2006 at 04:09:32PM +1030, Alphax wrote:
 
Under GPG 1.4.3rc1 I'm completely unable to get the cURL-type keyserver
handlers to function correctly. For example, using the following command:

gpg --no-options --keyserver sks.keyserver.penguin.de --search Alphax

I get the error:

?: localhost: Unable to connect: ec=0
gpgkeys: HTTP search error 7: couldn't connect: No error
 
 
 Keep in mind 1.4.3rc1 is a development version and hasn't been
 released yet.  gnupg-devel would be a more appropriate place.
 
 That said, please run with:
 
   --debug 1024 --keyserver-options keep-temp-files
 
 added to your command line, and post the results as well as the
 contents of your tempin.txt file (the location of the tempin.txt file
 may vary on different systems, but will be shown in the debug
 output).  It looks like you're not talking to sks.keyserver.penguin.de
 at all.


Well, I know it exists; the second time I ran it (using an older version
of GPG) I *did* get results.

8-
gpg --no-options --debug 1024 --keyserver-options keep-temp-files
--keyserver sks.keyserver.penguin.de --search Alphax
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: DBG: expanding string C:\GnuPG\gpgkeys_hkp.exe -o %O %I
gpg: DBG: args expanded to C:\GnuPG\gpgkeys_hkp.exe -o
C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt
C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt, use 1,
keep 1
gpg: DBG: using temp file
`C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt'
gpg: searching for Alphax from hkp server sks.keyserver.penguin.de
gpg: DBG: system() command is C:\GnuPG\gpgkeys_hkp.exe -o
C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempout.txt
C:\DOCUME~1\Andrew\LOCALS~1\Temp\gpg-F9C4EE\tempin.txt
?: localhost: Unable to connect: ec=0
gpgkeys: HTTP search error 7: couldn't connect: No error
gpg: key Alphax not found on keyserver
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
8-

Contents of tempin.txt:

8-
# This is a GnuPG 1.4.3rc1: keyserver communications file
VERSION 1
PROGRAM 1.4.3rc1:
SCHEME hkp
HOST sks.keyserver.penguin.de
PATH /
OPTION include-revoked
OPTION include-subkeys
OPTION try-dns-srv
COMMAND SEARCH

Alphax
8-

Contents of tempout.txt:

8-
VERSION 1
PROGRAM 1.4.3rc1:

SEARCH Alphax BEGIN

SEARCH Alphax FAILED 9
8-

Thoughts?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP smartcard: addcardkey fails

[Alphax]

Lionel Elie Mamane wrote:
 Hi,
 
 I'm trying to generate an authentication subkey (tied to my main
 OpenPGP key) in my OpenPGP (FSFE Fellowship) smartcard (for poldi /
 SSH use), but can't get it to work. gpg --edit-card and --card-status
 works like a charm.
 
 
 Command addcardkey
 gpg: detected reader `SCM SCR 335 (60600ad9) 00 00'
 Signature key : [none]
 Encryption key: [none]
 Authentication key: [none]
 
 Please select the type of key to generate:
(1) Signature key
(2) Encryption key
(3) Authentication key
 Your selection? 3
 gpg: 3 Admin PIN attempts remaining before card is permanently locked
 
 Admin PIN
 
 PIN
 Key is protected.
 gpg: secret key parts are not available
 gpg: Key generation failed: general error
 
snip
 
 Any clue? Thanks in advance.
 

Is the secret part of the primary key available in your local keyring?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: There new XMPP (aka Jabber) room GnuPG-ru

[Alphax]

Maxim Britov wrote:
 On Wed, 25 Jan 2006 18:21:07 +0100
  Ismael Valladolid Torres wrote:
 
 
Maxim Britov escribe:

For use it, you should have XMPP / Jabber account and client with
conference support.  Clients is: tkabber, psi, gaim, iChat and many
others.

I suggest Gajim which is truly ellegant and available for Linux and
Windows.
 
 
 I not used gajim yet. I prefer tkabber and psi at the moment.
 Tkabber can sign messages with gnupg.
 PSI/Tkabber can encrypt messages with gnupg.
 
 

PSI also has signed presence.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Using other compression algos with GnuPG

[Alphax]

Roscoe wrote:
 On 1/21/06, Ryan Malayter [EMAIL PROTECTED] wrote:
 
snip
The RAR compression algorithm proprietary and closed source, so it is
not likely to make it into any standards. RARlabs has refused for
years to allow anyone else to make RAR encoders (although they exist
in violation of the RARlabs license).

See http://en.wikipedia.org/wiki/RAR

A much better choice would be the LZMA algorithm from 7zip, which is
open-source and unpatented. It compresses with similar efficiency and
speed to RAR.

In any case, though, such slow-but-compact algorithms are really only
useful for archival purposes. While I have used PGP for some
archiving, this is not the most common usage of PGP, and probably not
an OpenPGP design goal.

There are much faster file encryption tools than PGP out there. We
actually use 7zip to compress and encrypt backups for offsite storage,
as its AES implementation is so much more efficient than GnuPG's.

 
 LZMA seems to be notably[1] faster/better than BZIP2, which has made
 it into the standard so I wouldn't immediately rule out its
 suitability for OpenPGP.


How well was LZMA known when BZIP2 made it in? Why was BZIP2 included
when ZIP and ZLIB were already available? Does this preclude LZMA? I
don't mind adding functionality so long as it is widely supported and
will just work :)

 That said I don't much think it should be included. It could *replace*
 BZIP2 but replacing BZIP2 with LZMA would break backwards
 compatibility a bit, and adding it resulting in  having both BZIP2 and
 LZMA seems a bit redundant when we've been getting along fine with
 just BZIP2.


Don't forget that ZIP and ZLIB are also there... I regularly use a
machine which has GPG 1.4.1 without BZIP2. Interestingingly enough bzip2
exists on the system...


 Back to on-topic-ness...
 I'd just use whatever compression scheme you want and pipe it into
 |gpg --compress-algo none.
 One tool one job :).


Yes, this has the added advantage that your recipient has to be able
to deal with whatever non-standard compression you choose. YMMV.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Providing shell-completions for gpg, minor scripting issues

[Alphax]

Axel Liljencrantz wrote:
 Hello,
 
 I'm currently writing a set of gpg-specific completions for the fish
 shell (http://roo.no-ip.org/fish). These completions already feature
 all the switches for gpg, and a description of each switch, usually
 the first sentence of the manpage description.
 
 While doing this, I've run across an issue with scripting. Fish allows
 you to tab-complete sub-arguments to switches, so you can for instance
 write
 
 fish gpg --verify-options=show-photos,show-usTAB
 
 and the line will complete to
 
 fish gpg --verify-options=show-photos,show-user-notations
 
 I'd like to do this for the various switches that accept a crypto
 algorithm, unfortunatly I have some problems with getting a good
 listing of the algorithms supported by the users GPG implementation.
 Running 'gpg --version' prints them, but it does so in format that I'm
 not very happy with:
 
 gpg (GnuPG) 1.4.1
 Copyright (C) 2005 Free Software Foundation, Inc.
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it
 under certain conditions. See the file COPYING for details.
 
 Home: ~/.gnupg
 Stödda algoritmer:
 öppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA
 Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
 Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
 Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2
 
 As you can see, the format is locale dependant. I'm also worried that
 changed phrasing, further algorithm subdivision, etc. will mean that
 my parsing rules will break. To get a locale independant format, I
 have to invoke GPG with a LC_ALL set to C. This doen't seem very
 optimal to me. Is there some other way of getting this information
 that I've missed? If not, could perhaps the --with-colons switch be
 made to act on --version as well, to get an more robust format?
 

gpg --verbose --version

gpg (GnuPG) 1.4.1
Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
  SHA512 (H10)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2)

HTH,
-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Are gpg signatures considered attachments?

[Alphax]

Thorsten Haude wrote:
 Hi,
 
 * Chris wrote (2005-12-28 00:45):
 
snip
On the bad signature I see this when looking at the msg source:

--nextPart5566026.XhGQNAZr0e
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On a good signature I see this:

Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
 
 
 This is from a single mail, before and after it got munged by the
 mailing list software? If not, *are* the mails changed that way? In
 what way are they changed?

I can answer this in part... quoted-printable equals-escapes things
such as newlines and equals signs - which of course changes the message
hash, invalidating the signature. Any mailing list software which
changes message encoding is EVIL.


Its even gotten so messed up that some have their signatures show bad when 
adding a sig to the bottom of the message, leaving it off shows the 
signature as valid.  The opinion on the list is that something is 
definately out of whack in the list software configuration.
 
 
 So whack it over the head. These things can be changed. What software
 do they use? What does the list provider say? What does the creator of
 the mailing list say?
 
 

Mailman seems to be okay with such things... generally adding a mailing
list footer won't mangle PGP/MIME (I've never seen it mangle inline
PGP), but once you add attachments the list footer will start breaking
things.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

David Shaw wrote:
 On Thu, Nov 10, 2005 at 09:00:56PM +0100, Christoph Anton Mitterer wrote:
 
snip
 
btw: You remember my C-only thread (I'll answer you lastest posts 
soon),... I played around a bit and read some parts of rfc2440.
Ok when I split a key using gpgsplit I get about the following:
pubkey
uid
selfsig on uid (Sig type - Positive certification of a User ID and 
Public Key packet(0x13))
subkey
selfsig on subkey (Sig type - Subkey Binding Signature(0x18))

Ok,.. the 0x18 signature ist the one that binds the sub to the primary.
=so nobody can add his own subkey to my primary because he wouldn't be 
able to make a subkey binding sig, correct?
 
 
 Right.
 
 
=but he is able do take my subkey and remove my 0x18 and add his one 
(that is where your back sig come into the game, correct?)
 
 
 Right.
 
 
Is it correct that the primary has not directly a single self sig 
packet, but rather 0x13s are used therefor? If so,.. what is 0x1F 
(signature direct on key) used for? I thought this is used for primary 
selfsigs.
 
 
 No, 0x13 (or 0x10, 0x11, 0x12) are used to sign a user ID and primary
 key together.  Historically, people call this signing a key, but
 it's really signing a user ID + key.
 
 0x1F signatures are truly signing a key alone.
 
 

So is a backsig of type 0x1F then??

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keytypes and changing them

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Christoph Anton Mitterer wrote:
 David Shaw wrote:
 
 So I think it would be better to have the following:
 primary: C, RSA-S, 4096 bit
 secondary: S, RSA-S, 4096 bit
 secondary: E, ElGamal, 4096 bit

 Ok...
 1) Is it advisable at all?
   

 Yes.  Many people do it this way, including myself.  It's not actually
 an RSA-S key (that's deprecated), but a regular RSA key with the S
 flag set.  However, you don't actually want to change the primary from
 CS to C.
  

 Why not? *g* Of course I could just don't use my primary key for signing
 plain data,.. but I think it would be better to indicate that with the
 flag, too.
 What would be the disadvantages?
 

You could end up with conflicting copies of the same key for one...

snip
 And again,.. is it posible to change the flag on an existing key? And
 how is it done? Via a selfsignature? If so, I could change the flag to
 C, indicating everybody that I'm using the primary key for
 signing-other-keys-only and if someone should insist on
 challenge-response I could use the --expert flag or store a local-only
 version of the key (e.g. in an seperate .gnupg dir) that contains the
 key with CS.
 

Possible, yes, easy, definitely not. Think split the key into packets,
read RFC2440, fiddle with its bits, turn the bits back into a key.

 
 5) Would it change my primary key in such a way, that it renders the
 signatures that I've already received from other users invalid?
   

 No.  This does not affect third-party signatures.
  

 Good,.. so I could change this as often as I'd like to, correct?
 

I wouldn't advise it. Add a subkey. If you don't want your primary key
to be accidentaly used for signing, backup your key, export the secret
subkeys only, delete the secret part of the key, and import the secret
subkeys. That way you can still sign and encrypt as normal but you won't
be able to use the secret part of the primary key. MAKE SURE YOU BACKUP
THE ORIGINAL!

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ3C3z7MAAH8MeUlWAQhUCgf+ND53aPMn+VqE/FXVA4L/CsDYtz9j7cQl
bKZUid8hamWhTYbCIo5IT5kvOlLAS19VlBImT6XaSXOFJXnJt9TfpNHabI3YvKN+
GJSnGTDrnIISCK9pv8nL3+e5FomS+CMwiLR7LV7VDja4q+AXkxRzgNMDlKzYDn9R
J0hCVvBPVKpGJK+7JuLo3FEWt3D+i3vxsq76zqmlXR2Tg2yWJPiqcUfR9aDme5e0
LLFlE0CpDdPspvKn+Ai93+OWt9jOAxT5hYY6E2+IgYrqT78AtakQ1Iu5UwoQ+Cqv
OVWXzGwlHhg0FXapKO3P5kRXCvys+ZGoVKuzn6BTKPXNMkuxV2F8cA==
=l690
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Sat, Nov 05, 2005 at 04:39:40PM +1030, Alphax wrote:
 
David Shaw wrote:

On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote:


Salve!
Can somebody explain me what is back signatures?
Manual not very clear about this.


It's a countermeasure against an attack against signing subkeys.
Basically, the primary key signs all subkeys.  With backsigs, the
signing subkey also signs the primary key.

Without this, an attacker can steal a signing subkey from someone
else and try and pretend that a signature came from his own key.  It's
not a particularly good attack: the attacker can't issue signatures to
prove his ownership.


Will this remove the possibility of moving subkeys from one primary key
to another / converting primary keys to subkeys (documented at
http://atom.smasher.org/gpg/gpg-migrate.txt)?
 
 
 No, it's unrelated to that.  It's a countermeasure against a (somewhat
 weak) attack.  It has nothing to do with various bit twiddling you can
 do to your own key.
 

So how /do/ they work (and how does one go about moving subkeys between
keys)?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ29VrrMAAH8MeUlWAQiI1Af+IOP3LqxNddNc1tRxKo4BwNNm4MmiRQrC
XnOkj+kpEzt7TnlvYhEWy4QUW/Kjv/7F0DvW/68lMNsSq+MV/dm89wFNiRpUV0e9
XR6qf6/jMkJEyafhT0fkfJoZBrNRhhgT6Gdgl6yvGZbK4JscMAi0CaWzVZOBryaL
YNeaR+TKLhkleW6n4Q1nFodMeTZE7KgjzkyhcWvp3r6XB/mzQJ2R7EF+MD8C+P53
jmq9QQL0BAMq3F1Q6tunxHzdNknP9DUuS6pSWSVUUPZVkS/YCKX5LQFhE4txh4+E
pC1v4IExoJD7Ec4hfRCIZ01S/W349uxpupL4zhPlpIXSuiwb9DXyfA==
=lSYS
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Mon, Nov 07, 2005 at 11:55:02PM +1030, Alphax wrote:
 
 
It's a countermeasure against an attack against signing subkeys.
Basically, the primary key signs all subkeys.  With backsigs, the
signing subkey also signs the primary key.

Without this, an attacker can steal a signing subkey from someone
else and try and pretend that a signature came from his own key.  It's
not a particularly good attack: the attacker can't issue signatures to
prove his ownership.


Will this remove the possibility of moving subkeys from one primary key
to another / converting primary keys to subkeys (documented at
http://atom.smasher.org/gpg/gpg-migrate.txt)?


No, it's unrelated to that.  It's a countermeasure against a (somewhat
weak) attack.  It has nothing to do with various bit twiddling you can
do to your own key.


So how /do/ they work (and how does one go about moving subkeys between
keys)?
 
 
 I'm afraid I don't understand what you're asking here.  How backsigs
 work?
 

1. I have a cvs version of 1.4.3, how do I issue backsigs?

2. How can I move some subkeys from one key to another, where the key I
want to move them too currently has NO subkeys?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ29uHbMAAH8MeUlWAQjqEQf5AWjO1MUTnnpXblSugyp5uosKygmpSfP/
DkV+ULPCEPVFnxCY1BoekpWvjC+ZhyRzhjnjx9S79Xa5H3is6QQjo2r8Uy1ho8ju
MnVC5uascX4r5zQa7wHgZzCNjXwudd03ihBzh4De9+ZsP/QELbTKrPxFp5qhH7CE
hUHPh8TnkCejMcNk897Xs9zyHXZoeGSj9mQFtyO3lyOMyhV9Oey4X7bEKEXbDmVG
U5N/9c46QkQPuMGfOnJ7nxFBwq99n5OVKHGg4IcqsE/J5SIwKQCHmu0sTWCGdy8R
OFvj8uRh5iNJsVSx6t0+R68DizLRVyB//lluzXBdSUpoQP09iKkvFA==
=3oml
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to handle bad signers?

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thomas Kuehne wrote:
 I've started to analyze the trust relations between the keys of various
 keysigning parties. The data below is generalization of several keys
 signing parties.
 
 the setting:
 * more than 20 potential participants
 * more than 15 attendees
 * 1-3 keys that signed every single key of all announced participants,
 even those that most likely never attended the party
 
 The interesting point is that those 1-3 keys haven't got a single
 signature from any of the other participants.
 
snip
 4) The owners are bad signers and didn't take part in the ID
 verification step of the signature process.
 
snip
 
 How should 4) be dealt with?
 
 As far as I am aware the is no negative signature or any other way to
 mark those keys - except for local trust settings.
 

Don't sign their keys?

Tell them if you do get a chance to sign their keys, I am not going to
sign your key because you do not understand the implications of the web
of trust and make them revoke their signatures on all the keys they
have signed without verifying them?

If you are lucky, they will be level 1 signatures, so you can exclude
them. If you are unlucky, they will be nonrevokable level 3 trust
signatures 10 deep.

Setting ownertrust to none in these cases is a good idea; at least
then your WOT won't be contaminated by their signatures.

However, I find it unlikely that they would even enter into your WOT to
start with; if that is the case, you need not even worry about what
their signatures are doing. Just set ownertrust to none and forget
about it. Use the --always-trust option when encrypting (IIRC GPG will
still warn you but will at least let you encrypt).

There is of course possibilty 5) which appears to happen most often with
PGP newbies (because it's TOO easy to use, and the instructions likely
don't require any understanding): the possiblity that they should have
made local signatures on the keys, but didn't, and PGP automagically
refreshed their entire keyring, spreading these signatures into the
wild. For an excellent example of this, check the PGP global directory
key; there are many signatures which have been revoked due to accidental
non-local signing, and many keys in the keyserver network have PGP GD
sigs on them, again due to automagic refreshing (most likely through
LDAP).

I realise that this has turned into a bit of a screed, but it looks like
the best policy is: Don't do stuff unless you know what you are doing!
Don't use software that does stuff behind your back! Use Free software!

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2yew7MAAH8MeUlWAQgPwAf/SmSJeK+V8kdQOu77VWGwLBRHzGs2pb8R
HY1GTlZiCKIqbUhAs3nz+9pTww5JlFV16N/8MQrF44VCrHDpytmPwsF+NcszfEeX
2/Iz2wQUjAqVepgmmxujqBIpcGMYPNrPk6yf+SByspOgVG6stFbBD3ZAMU41R36f
GLn/Hq6+A91qV1tAD1C9giHhDxy1WzZr8rHHPf68Cah54/8ndFhJnm/5tFrsAGVR
QG1og6ziaZzyexfAnCUhdxHaGkKry9UN58WGZGOKkth9Wdh/mTlduLezIR/Mff6r
4TQEWppp/LWg+mOnuik6OwsKuVHrxgZ4SUXUKtvtx3aa4oWrA4G4lw==
=CZoN
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Sat, Nov 05, 2005 at 04:32:07PM +1030, Alphax wrote:
 
David Shaw wrote:

On Sat, Nov 05, 2005 at 01:47:08PM +1030, Alphax wrote:


David Shaw wrote:
snip
I should add that this is a new feature for 1.4.3.


Has 1.4.3 been officially released yet?


Not yet, no.


How unofficial is it?
 
 
 It's as official as any release that hasn't happened yet: that is to
 say, we're happy and thrilled if you test it out and report bugs (to
 gnupg-devel), but you'll have to compile it from the SVN repository,
 and it's not considered stable code.
 

Considering that 1.4.2 won't compile on my system, that could be a problem.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2y04rMAAH8MeUlWAQh/yggApuqFc1sRkU6w6+whqE7GH3EooQIrp5On
8mIt1AeafrdFsEVRFALH+cc0Nvrna+KTPcze+mVQQM6lv5MRb3v+2GXpI8kqYIWL
CrpAfFUJH9UftBhw84ytcZn20gKg8Mw9Q1RZCcwj6sBtF9JIX4xAfgRvv972b7FH
fakqfbQ6hzkUciZUQmMWIBiHYcDZclAqmukD6iragtpYrK13vemCFO+hDViqbAb+
HXQQ+oL1kJk8BcXvuA1a/CNH9W3OLl2M+5pl4mnYP7ZqEKjQJ+gr1mBRmwvvwS5/
1M1trBgyTrycnL0Q0D/zoW7QJEY4AHrI4ImrChqjDm0ZgVEcENJRWw==
=CpjA
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to handle bad signers?

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Sat, Nov 05, 2005 at 12:30:46PM +0100, Thomas Kuehne wrote:
 
snip
 
How should 4) be dealt with?

As far as I am aware the is no negative signature or any other way to
mark those keys - except for local trust settings.
 
 
 That is correct.  It really has to be this way, for good and for bad.
 Trust is inherently subjective - even the 1-2-3 trust levels are just
 guidelines and there is no way to enforce them beyond asking people
 nicely not to abuse the system.
 
 Of course, it would be possible to propose a different trust model
 that takes into account such things (a reputation system), but that
 would be a reasonably different beast than the current system.  Not
 impossible, but it would take some working out of details.  OpenPGP
 currently has no way to make a negative signature.
 

If it did, there would be a corresponding Web of Antitrust.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2zEJ7MAAH8MeUlWAQhmzQgAooOGpX2p31Bgoc8F4egWzFgHCS2pWO+z
Bsl8YgnGdjzT7Q0GVOsP55LjPPKRSBh1+yIDrWYIqWyuLp1a74ZQTw5u8NDDtPj9
NhHSwa6kB+sQksaT3U5I4AZL7uygh79CI7AtGj/TOafoal+IKYXzVmA/DPGCVMkJ
ovhv1NzfXnyRR6UGmviBrket9gaWNOST65o75NrCQww2UelH31xNPweLXclRxWkf
aLs8wuNzO375MrtQkRtIFv0CDSysd4HMgByXC/p1QZdiv6o0rqKOq0heCTSPIr1Q
qMqfQY9y4aWHiifHvJeYllo04V8/b7yULSj6U8h2TUpjf9gZqmNuUQ==
=pM1Y
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Sun, Nov 06, 2005 at 12:04:27AM +1030, Alphax wrote:
 
 
It's as official as any release that hasn't happened yet: that is to
say, we're happy and thrilled if you test it out and report bugs (to
gnupg-devel), but you'll have to compile it from the SVN repository,
and it's not considered stable code.


Considering that 1.4.2 won't compile on my system, that could be a problem.
 
 
 So... report the bug?  We're not terribly good mind readers here.
 

Nah, it's my system. MSYS is not a runtime according to all sane
documentation.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2zGrbMAAH8MeUlWAQj7TggAsKkG5TNPuQWMuPerEf+CE9j7w/RmRBMY
MxCc3V5Kh0+HHcZT7yhP2ZmVwyFOEDH3qO2YKL1ouMEkm+KMHB3pQArb0Wjjlnkn
b574a5P/jzcvz/Fp75VurOPnrz/i3o2DzhKXURxSMQFVrsYrfL2TIb98KBUVGs+0
rbzvNjCZQ3cqVtu2moYRJnou7w5PVZUdWTH16NmuKSjVIt4mMnH+vG2yDud2lxkV
f31vlzD2K+Fgal8wkzVTNCtBQoZUEC2fB+7iXbwcTSwj6xjGReCih22lvyiB5qFU
lYzjYx2YCCCDbMoMYgMqVcBQy13N6PlJgYGad7RD2nwlYHQLKYLbBQ==
=efte
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Fri, Nov 04, 2005 at 02:24:09PM -0500, David Shaw wrote:
 
On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote:

Salve!
Can somebody explain me what is back signatures?
Manual not very clear about this.

It's a countermeasure against an attack against signing subkeys.
Basically, the primary key signs all subkeys.  With backsigs, the
signing subkey also signs the primary key.

Without this, an attacker can steal a signing subkey from someone
else and try and pretend that a signature came from his own key.  It's
not a particularly good attack: the attacker can't issue signatures to
prove his ownership.
 
 
 I should add that this is a new feature for 1.4.3.
 

Has 1.4.3 been officially released yet?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2wkM7MAAH8MeUlWAQh2hAf9Fr3wbnvSaNFprkxJ/aSv2Fw9IQqqDF87
kbfSfA6tjPdzh6P6pIUCb3Fjy/or1s0BLwTM9snTmhjK6eggT9a2JB/L7jMdjkTf
47q5ZM79Oi8NSUkOCJT/9fEe0X+4lzPfXrjHLwfeFJ50NJxvBupPtzzzjElhlBfC
oilO8eMzpT9FNgWaBJZIiOTANLRPgeN8NZS+AE4KKx/cSQZnCeoIrkVOxD7/HElm
6bfxZIsUFKDXMdOfJQJAhX+iBUtMjmU06/UDZlRV3unH8W8YDU4z6TlkCfwRihPj
h4LzeRB+ZjrLSy6zd6U5zsANqzURTkGq7EiIPgZp/ulaDD9vBWDj1g==
=g8ka
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Sat, Nov 05, 2005 at 01:47:08PM +1030, Alphax wrote:
 
David Shaw wrote:

On Fri, Nov 04, 2005 at 02:24:09PM -0500, David Shaw wrote:


On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote:


Salve!
Can somebody explain me what is back signatures?
Manual not very clear about this.

It's a countermeasure against an attack against signing subkeys.
Basically, the primary key signs all subkeys.  With backsigs, the
signing subkey also signs the primary key.

Without this, an attacker can steal a signing subkey from someone
else and try and pretend that a signature came from his own key.  It's
not a particularly good attack: the attacker can't issue signatures to
prove his ownership.


I should add that this is a new feature for 1.4.3.


Has 1.4.3 been officially released yet?
 
 
 Not yet, no.
 

How unofficial is it?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2xK3rMAAH8MeUlWAQgdbgf+N3WnnAPF/+AJgnssdjrhbb/JrCvlacU7
FBfVq/lTZt++rt28EgeT0sGIsVT+p9DyyoetY06wxsuJhGQn1a4RwFAKwlIsBDgS
IppX+lOcf2zuN7W6x4Xzq+wFKKNHwkSrUYFQdK/0oI6vZx6E45m5o9+9USONu248
hOMP5tUvgnQ8DStN/czOkke+Fig5/Gm7Lb8IJ8CqAF+3JPxthPmLt4lQDEcm3M17
Bm8VF48pHo6fozLghSDxPB2mJtGawgp9BaBwAghZJysFXf/E+Jm2TE2xw9vXpvDw
hfLQbl/OK+BuZlMocMkl6Ml9Bm6SEN1LsoiLkMHIJyN25B7JWJ75tA==
=faWd
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: back signatures

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Fri, Nov 04, 2005 at 10:15:16PM +0300, Pawel Shajdo wrote:
 
Salve!
Can somebody explain me what is back signatures?
Manual not very clear about this.
 
 
 It's a countermeasure against an attack against signing subkeys.
 Basically, the primary key signs all subkeys.  With backsigs, the
 signing subkey also signs the primary key.
 
 Without this, an attacker can steal a signing subkey from someone
 else and try and pretend that a signature came from his own key.  It's
 not a particularly good attack: the attacker can't issue signatures to
 prove his ownership.
 

Will this remove the possibility of moving subkeys from one primary key
to another / converting primary keys to subkeys (documented at
http://atom.smasher.org/gpg/gpg-migrate.txt)?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2xMo7MAAH8MeUlWAQjH6gf+KmeEkA1TrqYANLl6jWyCvVslMukZcDeI
yHFLgPT3tJY/dY+AU4mRsgcim3sd3alJan8Qz1mecEbxHHffXJCSbowagnUotx19
AP6ku/KFSC/yjF2dvttoDmmnSxWSzL9F0EoJI5O2o/xNXVaSjbR1wj+zq6Z7m84I
6R0QQguSDHmccPAtLmtdIereGuU8ai4seQI97JLD78eVM0gibR220WaTe482Bh3P
i+yNx6fMMjlGb/VB1AWTyK5b04SguGZQtKP4QQzxiAsfNvYYeRWlVuGwThrHTodd
+A30HeVql/PRkEo3ITtT8BQ6nelRikm+SDTo0Z3YCxLT7uRGzmeR7Q==
=Omcs
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Batch setting ownertrust

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alphax wrote:
 I know this is probably a bad idea, but I want to do it anyway...
 
 Is there anyway to set ownertrust on a key in batch mode?
 
 If there isn't, how can I generate an ownertrust file and import it?
 
 Alternatively, where can I find the specs on ownertrust files in the
 source code?
 

Never mind, I worked it out...

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2najbMAAH8MeUlWAQjdyggAjN/9nKfmpk+lserH8Rm6sQIRsOX+baCf
8Gj6TEQBf1z4AfuCbUsgAfgI54FBEUda1lE6HDdXqjXDrhuXetpgqQLSk0suXSvT
GtbZ1KO4daGTr08lxoUhxBou8pDBG1UKVi5fpNLl3Jyw9kpce7cmLWvuKbbAEO51
hk4DMQcIjreQ4/T4wdh1i+fzbkC0qJCEihjKZ41EFCHvindOiE2mxBhlRZ+swDYn
AhiT7SBoEXd4c8jZTehLKCrGOUryQwPCPvyJ72ljO7NZiwOzKbnpnprYN/JXg5S8
TeGu32r8r/NM+TgA64XX/GugEpr46/9aWaUDuBpy3SFzeyKNT3zbMg==
=qR5k
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature request: expand 'clean' to 'clean total'

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dirk Traulsen wrote:
 Am 29 Oct 2005 um 2:25 hat Henry Hertz Hobbit geschrieben:
 
 
On 27 Oct 2005 Dirk Traulsen wrote:

 
 snip
 
So here is my feature request: Please make an option to delete
signatures, for which there is no corresponding signing key on
the local keyring.
 
 snip
 
I hope I am misunderstanding this.  I think I am.

I have a little bit of a problem with this.  First, I am NOT part 
 
 of
 
the WOT and never will be (look at my name and you will see why).
Second, I have precious few public keys on my key ring, and Werner 
 
 is
 
one of them.  You should all of those pretty [User ID not found]
after all of those sigs.  Thank goodness I am NOT part of the WOT. 
 
 If
 
I was (part of the WOT) and cleaned out all of those signatures on 
 
 his
 
key, signed it, and uploaded it to one of the keyservers so it
reflected he had another signee, what would happen to the ones that
were cleaned out?  I am sure that most if not all of them are
legitimate signatures.

Like I said, I am pretty sure I am misunderstanding what you are
doing.
 
 
 Yes, you do! 
 This does not effect the keys on the keyservers! The keyservers 
 always only add or merge the keys they are sent. This means, if there 
 is already a key with that ID, they take the sent key apart and add 
 the new parts (if there are any). 'clean total' would have absolutely 
 no effect on the keyservers or the WoT.
 
 The proposal is about all those [User ID not found] in the keys in 
 your LOCAL keyring. My proposal would only have an effect on the 
 keyringsize on your storage media. 
 Even in my really small keyring, there are several thousand of unused 
 signatures. Can you imaging the effect on local keyrings with 
 hundreds of keys? Because you don't have the corresponding signing 
 key in your local keyring, gpg cannot verify them, so these 
 signatures are not useful for you. (With the exception, that you have 
 a visual hint that there are more signatures on the keyservers.) 
 

I have a keyring with 1600 keys on it which has a physical size of
almost 30MB. I would appreciate this feature very much.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2R1fbMAAH8MeUlWAQh57Qf+Oo50sxbj/lqTXbEW2BjuIsTyluRUpp3k
xNlH9NVELW4cStE3nKowbGkG29KytYotaERGzi3hn0O6l2ZyXnaiPmfEaT0ZIA9v
xC2XUfCrgueSXrTufB8oDtj2YS8qrWvwkOcgkdPJQTaK+yorpWtwJOHVkHN1V+E1
xwGnTzJC5HQa86CF8PsHAAmtnPsEe/q0tRsSel6/RzGCUhfBR7sOC4oTgRtypgn9
6eeVUBolrZe+bP/s9FR6YrxPo5T7Up/bVQkna6fglclWYAa+q07enw79jli4/20U
ghzMgcd5rIwPm0xg8tkqw41h/YYPZTqcj66UE+y0v6DjnNr2etnq4g==
=rkns
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signature packets without (whatever)

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Tue, Oct 25, 2005 at 11:53:51PM +0930, Alphax wrote:
 
Recently, when checking my trustb I get the following appearing:

gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: signature packet without timestamp
gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket

Now, I figured that cleaning the keys would probably fix this, but the
question is: how do I find the offending keys?
 
 
 Given that one of the errors is a signature packet without a
 keyid... it's hard to locate the signature :)
 
 You could do trickery with gpgsplit and such, but I'd wait until 1.4.3
 is out.  It doesn't error on such signatures any longer.
 

Um... *bump* on 1.4.3, I just discovered that this (like all error
messages) is killing Enigmail.

Any way of finding the offending keys and cleaning them manually?

Oh yeah, clean total would be good for fixing this too...

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2W6X7MAAH8MeUlWAQheeAgAlii/xIcQmw2B1km/1b/mSWBlRaoojBoZ
HbEF0K21YHr/WcPS4WfLZmgG6JlVEr8on+ksQsxbRabWGfRfBbx4rRIyLgYJAZZ6
m2gAQ5iIAm+0dnDHYt4xPxfN6KAAuYveh64cMad6ebISwucrzq3ivsS/fgzKbEUK
3VyK8X0a2XecGn2iXL7uht1/RsoYgUF+fTq8Lt1iSmiVLb16chm62ZuxLK6TQDnb
SnX9wTaz/lavu8BBFRXa6mqyvSgqTz5FkCA48FOyHVDzA9JOSjKHFwVu1AfVRb56
e04BmoKXJgG1LzbGFLE9LlOm0YWIpRGu3NF5OPKQXvAjRssaW3V0IQ==
=lj5X
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signature packets without (whatever)

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw wrote:
 On Wed, Oct 26, 2005 at 12:08:55AM +0930, Alphax wrote:
 
David Shaw wrote:

On Tue, Oct 25, 2005 at 11:53:51PM +0930, Alphax wrote:


Recently, when checking my trustb I get the following appearing:

gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: signature packet without timestamp
gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket

Now, I figured that cleaning the keys would probably fix this, but the
question is: how do I find the offending keys?


Given that one of the errors is a signature packet without a
keyid... it's hard to locate the signature :)

You could do trickery with gpgsplit and such, but I'd wait until 1.4.3
is out.  It doesn't error on such signatures any longer.


It's not dying, just warning me... however, I think they might be
responsible for my trustb becoming corrupt last week. Will 1.4.3
automatically remove such signatures or merely ignore them?
 
 
 I doubt this is involved in any trustdb problems.  All versions of GPG
 ignore such signatures.  1.4.3 just ignores them quietly.
 

Is there a way to actually GET RID OF THEM? I tried batch-cleaning my
entire keyring but it didn't help.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2NH97MAAH8MeUlWAQi5Pwf/dTeEdRTVIisZa+b3UyyKSci7nW652bh9
zMxH63351zL5gvD31RgU4ShWOQWMfIra/tbJarIhce2M2vFFZ8l5AKRHciBJ3/gg
2Ian5NHsiyeLYcUaJ1xWDy1MD5sLcdDZYnQJurFu0mOW/58UXbi3EgeC0NvgT02W
Sbagx+33mof89dhPUHZiQW0wpcVY1TGXuW6+0e+JwFXzwfstuaLMAB7rmi5V8GxX
wpVM0wulhH93o04S8WjxsCh8UYrjWU3veY+XTC2mulpFVccQHaZxmo7mXvzgg0d5
IeG0RIh/ihmB+DMreefTj4sVUW7jShK047qiLgvRa8ki0GMdsFtXnw==
=rYRK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: allowed commands on keys that keyservers handle correctly

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Realos wrote:
If I like to remove my signature from a certain key and/or uid, what is
the best approach to that? Does it make sense to revoke the signature or
just delete it? I find both of these commands in gpg software but am
unclear what to use.

You need to revoke the signature once you have lost full control over
the public key (i.e. uploaded it to a keyserver).  Deleting a
signature/uid or key makes only sense if you can replace all copies
with the updated one.
 
 
 Replacing an old key with updated one seems to be possible with
 biglumber and such other servers. Such servers have the disadvatage of
 not syncing with other public servers and only allowing one public key
 per email address. 
 
 Are there any other drawbacks of Biglumber? 
 

Biglumber *does* (AFAIK) allow multiple keys per email address. That's
one of the reasons it's better than the GD.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2CxwbMAAH8MeUlWAQi5sggAqE32MzcjtcvqEIJ83m1rQ2D39C9krvg3
PyCx0KRJ1T31GvV1rVVKRbHozEw5aCHR7BgtJflDugCR3rfe079wXrB5Tui1erzQ
esg6kr1UBTsfwxgUArfHXBc/4hnevO/AsKZtwI5VuM/epUnW0nrHPbQC5VP6nMQ5
j4YW4Of4w7IatjU5OUognJgbVUwIYj76SswnCyrhW42re6xq/Ak1kwqD6L5LoKM/
JftWVBfu85ypRIaKAWX+Bqu9l3r1OE4i7JfAoAwHb7ZhSNVXoFEiYcOferUA8iA/
S6rPrpVyTaj4bAQFpFMKpCgog7BcWqer4YyzNEnKwPnMXjqLMO5PLw==
=h9bI
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Lots of questions

[Alphax]

 order should be the following (from the best
 to the worst):
 a) SHA512
 b) SHA384
 c) SHA256
 d) RIPEMD160 (no sure if SHA-1 should be before this because of that
 chinese team that found collisions and so on)
 e) SHA1
 f) MD5
 Correct?
 

SHA384 is /useless/. It's just a truncuated version of SHA512. In my
mind (and remember, I'm just some guy answering your email), it's a
security risk.

RIPEMD160 is currently the best choice for a 160-bit hash algorithm,
provided you use an RSA key. SHA1 is not completely broken *yet*, but
it's a lot less secure than it was before Februrary.

MD5 is completly and utter broken, in real time.

 
 3) Compression algorithms
 GnuPG supports: Uncompressed, ZIP, ZLIB, BZIP2
 I think the best preference order should be the following (from the best
 to the worst):
 a) BZIP2 (I don't bother if there are Windows users or so that can't
 support bzip2 *g* )
 b) ZLIB
 c) ZIP
 d) Uncompressed
 Correct?

Since you don't care about Windows users, bzip2 is fine. GPG is pretty
good though; I use Windows and don't have any problems with bzip2.

 IV) How to create my new key the best way?
 
 Ok these days the Systems is in Munich and there's the c't Magazine
 that signs keys and so on :-D
 So I'd like to make a new key asap and have it signed,.. ;-)
 

Join a Linux User's Group, put your key on Biglumber, and attend
keysignings.

 Ok,.. now I wonder how I should do this the best and cleanest way.
 I suppose my assumtions above are correct and RSA-R/ElGamal would be the
 best and that the algorithm preference is also the best, if one could
 say so...
 

RSA-S/ElGamal-E with your prefs should be OK; prefs can always be changed.

 And I suppose that the default random settings in Linux (normally I use
 debian, but I think I'll boot from a Knoppix CD to create the key,..
 hope the include the latest version of GnuPG) are already the best,
 correct?
 

Set your s2k-* options as strong as you can and use the best RNG you can.

 My ~/.gnupg looks:
snip

A lot fuller than mine :)

snip
 Can I change that sig-policy-url, cert-policy-url, set-policy-url
 and sig-keyserver-url later without loosing signatures on the UID?
 

These are settings in gpg.conf and are only applied when making signatures.

 Ok,.. later I'm going to play with Smartcards, too :-)


Keep in mind that you will be called on to help debug new them if you
get one :)

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2Cw0LMAAH8MeUlWAQh8MggAiYkxFPaB+y75tXWI52nvCYgKI1C9bYgV
nPyiOPjTl32Hywa4f1C2KmZ/bTLr7FWTN7kcZdu7Ws/ZrmgqRkL7/vPpLNNi6+K3
jNDsMeM7+m7IlYKf7VQeuJiqhGCT9guvSKLBcC648joayUxJjUHIU/G1oYaQhWTC
cpzVJsmFOhli2pUxAv6G4/01jcqmdDeJv0yfvpUHMrWLctpQv/kPcR7UyI7QVT1T
n9HFE2FBBqz63c4uDkJZGodNlgRjk7bZWL5dI3cjCrinHutoNTkfN8lzWhdNtVyJ
0K5zMVukB44nHodCiSVWdNk1h9nhvi71q1VbDMubb0+r7wxlDNfDBA==
=EzW3
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ECC

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Topas wrote:
 Hi.
 
 When are we going to have ECC support in GnuPG?
 

Is it in OpenPGP yet?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2CxIbMAAH8MeUlWAQhNDQf/R4GFn6bEX6DSMPqY2AOFWhp7mIzJDFvz
IctXHWjLyw22L7m/0s+1h6eIowP9l6FvW5wU9V/377NkRWGALhhWgWS3jpydqhfX
NggbYqIZ8xp5/1hNjvpi1JJUp1WEOYRx5CBN7kBXtRB51+P/ms9DbgCtazBen8pO
l5zIC54+/ffUlwbwBE6cOybI0Dz65tnCtbes+4KjURBdXl6m5Xcwu9yQy2Phkb6v
gWL3jKAxcYeYtwWZMdHPJXaHZIe9IONMVgBtvvWxUspNP1CJ2yQioZJDPM/mX5jV
r0wArNDI6VSBFkaBACby9YDFPiT/R7vqdAJiHQXaymKidSmSUrTRlw==
=S6ns
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Signature packets without (whatever)

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Recently, when checking my trustb I get the following appearing:

gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: signature packet without timestamp
gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket

Now, I figured that cleaning the keys would probably fix this, but the
question is: how do I find the offending keys?

Or should I just batch-clean the lot?

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ14/9rMAAH8MeUlWAQgsPQf/RtAXvT6o2PDGO/SvmrNHAol3WFAC1+KH
fSx/EfxCzglJU3oAjX0Q4XOx4we/JfFUm5+jp8S4A4u5cJXwa94clCTr8pENmKrz
NX272+FfxvvRd9OhkCocdvKJ5ESiAhfG/VghjSh8vKidzCRQ/FM7N0yucvE/SeO4
MuCi8RJO7A+OG7HPs2Mz0MOlvmPAGqyMCgJm/Ff7E+tvhFVZGfr2iSHHN38bmmVC
+ULD4RrRhLtdv8rnGO4eL7q0X4wZYi5ohYi6vm+TtBPAYk+D3esqULEZiuQlrjcn
Wl2xAfe6rd0h79u+qoCtEmQJ/ld8BSKI8uUJRR2PZVkIpqg6FWlc+Q==
=PU3W
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: security measures?

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

John W. Moore III wrote:
 Mica Mijatovic wrote:
 
 
2. frequency of changing passphrases
- in a user who accesses emails via net cafes (think keyloggers)


Also good idea. Let's say after each use via net cafes, as soon as
possible. Well, would be ideally.
 
 
 However, keep in mind this:  If a keylogger/spyware ensnares one's Key 
 operable passphrase, then merely changing the passphrase once you get
 home will not eliminate the intruder from now having a matching
 combination for later use.
 
 The best/paranoid practice would be to have a Key used only on one's
 portable/Public PC device coupled with a codeword for each
 correspondent to be inserted within each missive to confirm authenticity.
 

Create a seperate signing and encryption subkeys and export them,
disabling the secret part of the primary key when you do so. A good
tutorial on this is available at http://fortytwo.ch/gpg/subkeys

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ1HEarMAAH8MeUlWAQgTVgf8CLHColEuJSIq+iweje1t/P1josJ5QoaK
fUgTAZkN/mTgNnHiiiRHqxwjU+eKvpwZyuyFntgkE3K0a2IpED+vuXZJ12BOQSfu
bKmERwmI3X6SWefndl8yqg7Wl3trX789mEzHVKEJYFDf7M2O+XyiwMiiHx6lXaWE
JibeefRXbheks558sKKi4QcmVMKWIItpxB0rBNMm9Rk0NVwK8npdLrVkPVpg9FVZ
Y8XGtCY3wyrPCBA5fApybMdw4CW9QY+SO21bVLBayehdx758+kJ98GIyFZGq/h6x
RT3UdnaYcY9CJjcBt269NHR+Rg0rPkTjwBRFsXpDXrxJWe1WkfWVTw==
=P85/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to fix the user ID on an old key?

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Oskar L. wrote:
 Hello,
 
 I've got an old keypair, generated in 2003 with the current PGP version at
 that time. When I import the secret key, I get:
 
 gpg: key 75AC881F: no valid user IDs
 gpg: this may be caused by a missing self-signature
 
 I'm able to get the key to work in gpg, but is there any way to fix it, so
 that I can export it, delete it from the keyring, and re-import it,
 without getting that message? I've tried --allow-non-selfsigned-uid, but
 that doesn't seem to change the key, only the way gpg handles it (when
 exported it's still the same). Included below is the output from pgpdump,
 in case that's of any help.
 

Re-import it from a keyserver, the copy on the SKS network has a valid
self-sig...

If that doesn't work, gpg --sign 0x75AC881F ...

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ0zeH7MAAH8MeUlWAQgaRgf/TQRw/pHUBVBaGrRNN2t1Ch+SnNbwRWeS
IvDXXfNErNJGd5B8nMQkB6NdhJZfdGbs/6eP8/0Eq+zK/cvt4x+/amC2YsFzaA1T
v28JmOxGaOV+jjimhbPtMdu7bRH3bxr2Trj/Kp/lD2pltTZ076ekvFiRawCWDxaq
7h00VqMvN1pe4VM1+qlyogen911Uh4J3UDqW8L8Lz1vIoEsFktRpV9kEW4ytdiUU
Fi/cca1EpaCw9+S3L6lB8ZFJ0P/JRjOOTaANaY9DRP0u+YQJTFTJR1oyh3nhU7OD
puugUUlqy87LtCp4mgFXM2TDTudTAQeizrZ7PG1HDX0S5ZsTE0BGOg==
=CHyP
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Armor headers

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

lusfert wrote:
 Hello.
 
 How can I change text (not by manually editing) in armor headers (for
 example, Version:) or armor headers themselves (add, remove)? Will it
 affect compatibility with other applications?
 
 Can I put custom text into Version: in stage of exporting public key,
 making signatures, encrypting with ASCII output, etc.?
 
 Sometimes I do not wish that others will know what exactly OpenPGP
 implementation and OS I'm currently using.
 

Well, you can use --no-emit-version and --no-comments...

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ0fOi7MAAH8MeUlWAQgy0gf8CBVH9VNb6dcDvGmmTrUrLn1u+pUShVPx
CE32CP2ybfp2i3Rh9J7a6lCZSQQ1rnpjHL8Nk837S5c5ulIrszaZz/hdnl7RxE5w
sjOMHbCMjIa0ahXfNGh0qki23wOCcEnFYvFWhBA+CzxDTixMm/EU9Y02Mnhcfn7g
Cbaf9gF7nM1HGKpSQL6gRl+5TsUD3izROdbFRfuiq5exEPvarI9GO7i2oQ6aO8dW
qehao982/QN0mOKrlcrWUQGS3WOVStJpaa3CTu3CJSVueYiE7Z3XkCIvg2AB11F5
21muISkpvf5TSnyy25rhSgm/MgJTBG+R/pa0Lwk9Hb8njgC8iR7a5w==
=ROPu
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Convert Sign Only Primary Key

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Klaus Fuerstberger wrote:
 Hi,
 
 a time ago I created a Sign Only DSA Key with an ElGamal Encrypt
 Subkey. Now I noticed that it is not possible to encrypt a message with
 PGP to this Public Key because PGP only sees the sign only primary Key
 and not the encrypting subkey.
 

Must be a very old version of PGP...

 Ist there a possibility to convert the Sign Only primary Key to a
 Sign and Encrypt Key?
 

It's not possible to use DSA keys for encryption. You can however
generate RSA sign  encrypt keys.

 Any other possibilitys to use this Key, so it is compatible with PGP?
 

I'll cc: this to PGP-Basics @ yahoogroups; see what the people over
there can dig up.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ0JTri/ia4ZoBgmdAQg0pQf/TU5I4Frw54QqJTd8EHYYhIBMqb5iCW2Y
JUlrXJcSHQ3rOg5PbUlXL8RO1gq7oGIZN+4pm/fnxcFlZ/o+uMx9mKl4QQM9GL3T
LXL2xgwPNlcHH9mU5sXZza/OfeXsPTar2axpeAKgrR16dzNYztLdgBCvjLrq6MdG
5XLdKeaGJecCOLrD8utUm4G9cSA5Z2hyqx6oVsF/bI60qQZhqQ5Bnwp/zpAKtNWI
535lFexUVVhNWxho7koakcAXBbrf1hHbZikUwxN68LroXHM3usFOyHB/hPedE9q2
zvuwcCiaky6P2A+fdRAujQUH5BnPe4p+dRITyjrbEh6NMsxU05EUfg==
=BDNN
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Convert Sign Only Primary Key

[Alphax]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Klaus Fuerstberger wrote:
 Alphax said the following on 10/04/05 12:04:
 
 
a time ago I created a Sign Only DSA Key with an ElGamal Encrypt
Subkey. Now I noticed that it is not possible to encrypt a message with
PGP to this Public Key because PGP only sees the sign only primary Key
and not the encrypting subkey.
 
 
Must be a very old version of PGP...
 
 
 Maybe You missunderstand my procederes:
 $ gpg --gen-key
 Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
 
 Here I selected 2. After the key creation I did a:
 
 Command addkey
 Please select what kind of key you want:
(2) DSA (sign only)
(3) ElGamal (encrypt only)
(4) RSA (sign only)
(5) RSA (encrypt only)
 
 Here I selected 3.
 
 This key does not work with PGP5 for encryption. Only for signing.
 

It may be that PGP 5 doesn't support ElGamal keys. Try adding an RSA subkey.

- --
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ0J757MAAH8MeUlWAQhZlggAjao1fhPEx4AHlDETCAHXAVTqMv6rZhJk
PmU5oecEkk/IkS1JLXdacrpNzSl+1FUL3nSVYPdAUSq+ZQ8TEBdHnvhnKW8EjOaQ
G7JIAEBW9xn6ctLEGkDGdPQYdsjB6dFuCmnjleQtLEsw6XE2VGDyRLBUPhpKG0Lq
66i2WtNK2T9+bh913jdQHMt2xpf86LAxAySAEZA7jYqh6mL2+SV5/+Lbkg1JRl3D
SREiNFWPQENYpnUQ3vY0yrUR96AzbCR1ucRk7b7GtJjxnTaIT7kRpy9bCqXM1zHV
x2G7xnDuWk1uiRyJkUlNGsuzOAIw4D/V4ei3EHkA1FMBMMKjmXxmFQ==
=Ukir
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Any way to get smaller key sizes?

[Alphax]

Laurent Jumet wrote:
 Hello !
 
 Is there a way to check the signature below with GnuPG?
 
snip S/MIME cert

Possibly with GnuPG 1.9...

I did some fiddling with the raw message, if you remove the MIME
seperators inserted by mailman and replace them with the MIME lines in
the original message (the Content-Type: line), you can make the
signature show up (and indeed verify) with Thunderbird.

However, the sheer size of the signature (the fact that the entire
certificate is included with it) and the breakage that occurs with
mailing lists continues to demonstrate the superiority of using OpenPGP :)

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Two questions

[Alphax]

John Clizbe wrote:
 Gary Graham wrote:
snip
 Second: I have a Thawte Freemail certificate. I have Enigmail set 
 to use it.  How do I import it, or whatever, it into my GNUpg 
 keyring?  I see several have done it.
 
 
 How do I say It's more trouble than it's worth? You have to use PGP
 as an intermediate step.
snip

From my understanding of PKI, there's another way to do it, which is
*even more* trouble than it's worth...

Extract the raw key (as in, the really big number) form the X.509 cert
and convert it into an OpenPGP key by taking a large bottle of your
favourite alcoholic beverage, read the relevant RFCs while consuming
about half of it, attempt to perform the conversion, and drink the rest
of the alcoholic beverage when you realise how futile this is :)

Or should I just go ahead and drink the whole bottle right away because
I've gotten the procedure wrong in the first place? ;)

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)

[Alphax]

David Shaw wrote:
 On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote:
 
David Shaw wrote:


I have sympathy for that argument, so wouldn't it be good to trace
down where the sigs are entering the keyserver net, and ask whoever is
doing it to stop?  It seems like the obvious first step.

Assuming this is possible at all. I don't know exctly what keyservers log,
but I'd assume that making the links GD sig upload - IP address - email
address is not trivial.
 
 
 It wasn't an idle suggestion.  You can assume that I do, in fact, know
 that this is possible, or I wouldn't have suggested it.  Why on earth
 an email address is relevant here I have no idea.  You don't need
 anything more than the IP address.
 
 I made the suggestion as a challenge.  The trace is not actually going
 to happen, as it is far, far more entertaining to complain and moan
 about the GD than it would be to see who is bridging the signatures.
 

It has been suggested that automatically retrieving keys from keyservers
can expose your IP to the keyserver manager, as all they have to do is
generate a new key, send it to you, and wait until someone downloads
that key...

It seems likely that sigs from the GD are entering via one of two ways:
firstly, individuals putting their keys on the global directory, and
then sending their keys with GD sigs out to SKS keyservers; secondly,
someone doing a 2-way synchronisation of their entire keyring with both
the GD and the SKS network.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request

[Alphax]

cdr wrote:
 MUS1876 wrote:
 Alphax wrote:
 I have friends who currently don't want to use PGP because they
 fear that their keys will be uploaded to a keyserver, and then
 they will be spammed forever more.


 I totally agree what friends of Alphax say.

 Wouldn't it be cute to have a sepcial option to flag both keys and
 subkeys as non exportable (uploadable) to keyservers? Speaking of
 myself at current, I also don't want to see any of my keys posted
 to a keyserver by someone else, be it on intention or not.

 The time is ripe for a GPG variant: (GPG-lean ?): a public key
 encryption utility with no built-in e-mail ties and no attempt
 whatsoever to incorporate the solution for the authentication
 problem. (For the majority of us, fingerprint-exchange-by-voice is
 more perfectly adequate).


Ciphersaber?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: This IS about GD - a proposal on dealing with the problem

[Alphax]

Zeljko Vrba wrote:
 Pawel Shajdo wrote:
 
I think this is public more keyservers design problem than GD. Keyserver
should accept new signatures only from key owner.

 
 
 Hm, maybe to define a key upload format which must be signed with the
 uploaded key itself (analogon of PKCS#10)? Of course, the public key
 itself should have some flag set to signed upload only so that the
 server doesn't accept it without the corresponding signature.
 

However, the keyserver would then have to verify the signature of the
uploading key... how much of an extra burden would this be?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: This IS about GD - a proposal on dealing with the problem

[Alphax]

Zeljko Vrba wrote:
 Alphax wrote:
 
However, the keyserver would then have to verify the signature of the
uploading key... how much of an extra burden would this be?

 
 In what way extra burden? Computationally (CPU), programming
 complexity, or...?
 
 Computationally - it would be done only oncem on key upload. It is not
 really an expensive operation - the same as verifying a GPG signature.
 And I think that modern servers have much spare CPU time..
 

I don't suppose any keyserver operators could tell us the specs on their
machines...

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)

[Alphax]

Johan Wevers wrote:
 Alphax wrote:
Removing duplicated signatures however would probably have little impact,
assuming you are removing only the newest ones
 
 Don't you mean keeping the newst ones?
 

Er, yes. However as David Shaw pointed out further down the thread,
there's no safe way to do so without validating the signatures first.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)

[Alphax]

David Shaw wrote:
 On Fri, Sep 09, 2005 at 11:02:56AM +0200, Johan Wevers wrote:
 
David Shaw wrote:


I'd be all in favor of an option where users could elect to filter out
keys: that would put the user in control.  Forcing your decision on
others by stripping signatures is a very disturbing step.

Considering the behaviour of the GD, I'd say it's also a practical issue
about resources: if it keeps signing keys like this, an SKS server might
well be in need of seriously more hardware than it is now. Someone's got
to pay for that, amd I don't think all keyserver maintainers want to.
 
 
 I have sympathy for that argument, so wouldn't it be good to trace
 down where the sigs are entering the keyserver net, and ask whoever is
 doing it to stop?  It seems like the obvious first step.
 

Well, I don't know *where* they are coming from, but I (and the kind
soul who worked it out and told me) know think we know *how* it's being
done. And unfortunately, it's very easy (too easy!) to do, especially
for someone with a high-speed internet connection.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: PGP global directory cruft in keyservers

[Alphax]

David Shaw wrote:
 On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote:
 
Kurt Fitzner wrote:

snip
gpg --edit-key keyID clean

And setting the clean-sigs and clean-uids options on import-options,
export-options, and keyserver-options are our only defense until then.

Like you, I refreshed from a SKS server and found 120 new sigs on my key,
ALL PGP Universal Keyserver.
 
 
 To my knowledge, the PGP GD doesn't sync with anyone.  It would be
 interesting to know how/where these signatures are leaking into the
 keyserver net.
 

Probably some PGP users who are automagically synchronising their
entire keyrings with multiple keyservers, leaking keys that their owners
would rather not have on the keyservers in the process :(

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card

[Alphax]

Alon Bar-Lev wrote:
 David Picon Alvarez wrote:
 
 I dropped all stuff regarding the differences using API and
 communication... I think you are wrong, there is exception for the
 rules... I try now to contact FSF for a formal position.
 

 The lawyer who wrote GPL wrote it with the explicit intent to incentive
 programmers to write free software and keep software free. Allowing
 linkage
 to or from NON-GPL code is generally considered to be
 counterproductive for
 the purposes stated.

 
 Here is what you imply... And it is so sad that I want to cry :-(
 
 On Microsoft platform, there is an API called CryptoAPI which is
 provided as part of the operating system.
 This API uses CSPs (Cryptographic Service Providers) that is provided by
 the smart card vendors.
 

You trust the Microsoft CryptoAPI? Well why don't you just run Windows,
which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt
X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in
the CryptoAPI?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card

[Alphax]

Werner Koch wrote:
 On Tue, 06 Sep 2005 19:35:34 +0200, Zeljko Vrba said:
 
 
As Alon did remark earlier, the general movement in the industry is
towards multi-purpose smart-cards. OpenPGP card currently doesn't fall
into this category.
 
 
 Not true.  The OpenPGP card specification is a card application and
 you may put as many other applications on a card as you like and the
 EEPROM allows to.  With 6k (and even less possible) it is actually a
 pretty small application.
 

Um... slightly OT, but...

1. What's the standard size of the EEPROM on a smartcard suitable for
OpenPGP?

2. What else could you fit on such a card?

3. Is it possible to have multiple things on a smartcard without them
conflicting?

Thanks,

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card

[Alphax]

Peter Gutmann wrote:
 Alphax [EMAIL PROTECTED] writes:
 
Zeljko Vrba wrote:

Joe Smith wrote:

For example, your CA can revoke your key leaving you with one key that
is invalid X.509, but valid OpenPGP? Yuck!


Using the X.509 cert and OpenPGP public key (having the same private
key) could be useful in the following scenario:

Is that even allowed??
 
 
 SPENGLER (emphatic): Don't cross PGP and X.509. 
 
 VENKMAN: Why not? 
 
 SPENGLER: Trust me. It will be bad. 
 
 VENKMAN: What do you mean bad? 
 
 SPENGLER: It's hard to explain, but try to imagine Werner appearing suddenly
 and beating you to death with a large copy of the GNU manifesto.
 
 VENKMAN (with military authority): That's it! No X.509. You guys are
 dangerous.
 

Wait, where's Richard Stallman in all of this? :)

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card

[Alphax]

Alon Bar-Lev wrote:
 Alphax wrote:
 The only place in the GPL where libraries are mentioned is in
 reference to the LGPL. Using the Microsoft CryptoAPI doesn't appear
 to be legal; AFAICT, this is similar to the reason why Enigmail
 insists on GPG instead of being able to interface with PGP on
 Windows systems.
 
 So you say that it is illeagal to run GPL software on windows or on
 AIX... It also make no sense... Since it is...
 

No, I'm saying that a GPL program (Enigmail) can't interface with a
proprietary application (PGP) but has to interface with a GPL
application (GnuPG).

I'm not sure how interfacing with such a program or library through a
pipe would affect the situation. IANAL.

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Card

[Alphax]

Janusz A. Urbanowicz wrote:
 On Tue, Sep 06, 2005 at 11:48:45PM +0930, Alphax wrote:
 
The application is free to do whatever it wants with these objects,
given sufficient authentication to the card (PIN). Technically, there is
nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys.

I think I might have seen something like that with a Thawte Freemail
root certificate or something... it wasn't pretty :(
 
 
 When Thawte signed PGP keys as a part of Web Of Trust program, they used the
 same key in both OpenPGP and X.509 form.
 
 Why you say it wasnt pretty? An actual RSA modulus is well hidden within the
 stuff so it doesn't really matter.
 

They converted the same key several times, so there were 3 or so keys
with the same long fingerprint, but different creation times - multiple
copies of the same key.

Is it possible to arbitrarily make an OpenPGP key with whatever keypair?

-- 
Alphax  |   /\
Encrypted Email Preferred   |   \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |X   Against HTML email  vCards
http://tinyurl.com/cc9up|   / \

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users